Data reform: Cookies and direct marketing

This is our sixth post on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers. This update will focus on some of the key amendments the Bill would make to the Privacy and Electronic Communications Regulations 2003 (the Regulations).

In this series so far, we have considered the amendments the Bill makes to the UK GDPR and the Data Protection Act 2018, but the Bill also makes changes to the Regulations, which set out additional rules about the use of cookies and direct marketing.

Cookies

The Regulations currently state that a person supplying an ‘information society service’ must obtain a service user’s consent before storing or accessing information on the user’s terminal equipment, unless the storage or access is strictly necessary to provide a service at the request of the user. ‘Information society services’ include websites, apps, and software subscription services.

The Regulations require website and app providers to ask for users’ consent before placing cookies on their devices, unless the cookies are strictly necessary. The restriction covers other sorts of technologies as well, such as tracking pixels, but we will refer to ‘cookies’ as shorthand for those technologies.

The Bill introduces several new exemptions that information society service providers could rely on to dispense with opt-in consent:

• The first exemption applies where cookies are used solely for the purpose of collecting information for statistical purposes with a view to making improvements to a service or website.This exception is designed to cover cookies that are used to analyse how many people are accessing a service, what they are clicking on, and how long they are staying on a particular web page. These sorts of cookies are commonly referred to as ‘analytics cookies’ in website cookie policies.
• The second exemption is for cookies that are used solely to enable a website to adapt the way it appears or functions depending on the preferences of the user or to enable enhancements to appearance or functionality when a website is accessed by a particular device. For example, this exemption would cover cookies used to enable a website to reconfigure itself to fit the dimensions of the screen it is viewed on.This exemption is aimed at the sorts of cookies usually described as ‘functional cookies’ in website cookie policies.
• The third exemption is for software security updates, which can now be pushed out to users without their opt-in consent, so long as certain conditions are met regarding the update.

Each exemption will only apply if the user is given clear and comprehensive information about the purpose of storage and access and a simple means of opting out. That means website operators will still need to document their use of those sorts of cookies in a cookie policy and will still need an automated method of enabling a user to opt out.

There is also an exemption for the use of geolocation technology in services used for emergency assistance, but this will not be relevant to most website and app providers.

In addition to the exemptions above, the Bill provides illustrative examples of when cookies will be ‘strictly necessary’. The examples provided reflect the ICO’s current guidance; this should therefore be seen as a codification of the regulator’s current stance.

Direct Marketing

The Regulations also govern electronic direct marketing. The Bill makes a narrow but important amendment to the Regulations in relation to charities, political parties, and other non-commercial organisations.

The Regulations state that a person must not send direct electronic marketing to an individual subscriber (broadly speaking, this means an individual using their own email account or phone number) unless that individual has consented to receive the marketing. Since the introduction of the GDPR in May 2018, this has meant the sender must have obtained opt-in consent.

The only exception to this rule has been the so-called ‘soft opt-in’, which permits direct marketing on an opt-out basis if certain conditions are met. Until now, the ‘soft opt-in’ exception could only be used by organisations selling goods or services, which precluded charities and political parties from relying on the ‘soft opt-in’ to promote their campaigns.

The Bill addresses this gap by permitting direct electronic marketing without opt-in consent where:

• The marketing is solely for the purpose of furthering a charitable, political, or other non-commercial objective;
• The person responsible for the marketing obtained the recipient’s contact details in the course of the recipient expressing an interest in, offering, or providing support for furthering that objective or a similar objective; and
• The recipients were given a simple way of opting out of the marketing when their details were collected, and in every subsequent communication, the recipient has not opted out.

This means, for example, that the changes proposed under the Bill would enable a charity collecting contact details when receiving a donation to present an opt-out, rather than an opt-in, to the donor for direct electronic marketing. This may not seem like a big change on the face of it, but there is anecdotal evidence that back in 2018, the move to all opt-in for direct electronic marketing resulted in reduced marketing lists for some charities, so some fundraising teams may be keen to see whether an opt-out model expands their audience.

Enforcement and penalties

Organisations intending to rely on the new exemptions regarding electronic direct marketing will need to make sure they understand them and apply them carefully. The Bill emphasises the importance of proper compliance, bringing the financial penalties for breaches of the Regulations in line with the penalties for breaches of the UK GDPR. The maximum penalty for breaches of the rules on direct marketing under the new Bill would be £17.5 million or 4% of the guilty party’s total annual worldwide turnover, whichever is higher.

The Bill makes a variety of other adjustments to the enforcement regime, but the change that most organisations will need to consider is the new requirement to maintain a process for dealing with data protection complaints. The Bill will create a new right for a data subject to make a complaint to the data controller if the data subject believes that the controller has infringed the UK GDPR. The Bill also creates a new duty for the data controller to facilitate such complaints, acknowledge receipt within 30 days, and take ‘appropriate steps’ to respond to the complaint ‘without undue delay’. It is worth noting that the creation of the right to complain is not the same thing as the right to receive a remedy for the complaint.

Key Takeaways

• Organisations should consider whether any of their cookie-related activities could be exempt from the requirement for opt-in consent. If an organisation can rely on one of the exemptions, consider whether adjusting the cookie consent system would be beneficial. In practice, organisations will need to document the use of all cookies in a cookie policy.
• The proposed changes to the rules on direct marketing should be of particular interest to charities, political parties, and other non-commercial organisations. Organisations should consider whether they would benefit from changing to the ‘soft opt-in’ approach (where permitted).

To access the full catalogue of articles in our series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers, visit our Data Reform: How could the upcoming changes affect your business? homepage.