Last week partner Adam Rose was mentioned in The Telegraph in an article highlighting that the ICO's own website does not conform to GDPR.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were the UK implementation of a European directive on the processing of personal data and the protection of privacy in the electronic communications sector (for data protection practitioners’ purposes their main effect is to legislate regarding the use of cookies and similar tools, and regarding the sending of electronic direct marketing). In 2011 the PECR regulations were amended (to implement another European directive).
The key amendment was regarding cookies - the law was changed so that, contrary to the previous position, a website provider could only place a “non-essential” cookie on one’s device if the recipient had consented to its placing (an “opt in”, if you will - where previously an “opt out” had applied). "Consent" here, takes its definition from the General Data Protection Regulation ("GDPR"), which states that it is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
The Information Commissioner's Office (ICO), which is responsible for enforcing PECR (and GDPR), has guidance, regarding consent, which says that "[one] may not rely on silence [or] inactivity...or seek to take advantage of inertia" and that "[clear] affirmative action means someone must take deliberate and specific action to opt in or agree to the processing...all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’".
In correspondence seen by this firm, an interested third party decided to test the ICO's own use of cookies, arguing to them that,
"Your own website (ico.org.uk), however, places at least four cookies (Universal Analytics (Google)) which are not strictly necessary, and it does so, or at least claims to do so, before a visitor has had the chance to consent (your cookie notice says "we have placed cookies on your device to help make this website better" (emphasis added)). Furthermore, the placing takes place as a result of the visitor's inactivity and inertia. A visitor cannot be said to consent, according to GDPR's definition and your own guidance, because she does not take deliberate and specific action to opt in or agree to the placing."
The ICO appears to agree with this analysis, because they responded acknowledging, "that the current cookies consent notice on our website doesn’t meet the required GDPR standard. We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June 2019…"
The ICO reassured the party that they are taking "immediate steps" to address the issue. The rules regarding cookies are not straightforward, and many fail to follow them, but it is still rather remarkable that the regulator itself, and by its own admission, has also failed to do so.
(The ICO has now amended its cookie policy to bring it into line with GDPR and cookie law)