UK ICO and French CNIL Increase Activity Around Cookies and Consent Practices

Perhaps the only thing higher than temperatures this summer in the European Union is the level of regulatory attention being paid to data-driven advertising and website cookie practices (including similar tracking technologies within mobile applications and other non-browser environments, collectively referred to here as “cookies”). This TrustArc blog post summarizes the major announcements and publications regulators have issued over the last few weeks, including what is expected to follow–and how TrustArc helps.

UK ICO Report on Ad Tech, RTB and Privacy. First, the United Kingdom’s Information Commissioner’s Office (ICO) released on June 20th an “Update Report Into Adtech and Real Time Bidding,” which concluded that advertising technology-related entities and those involved in real time bidding (RTB) should reassess their privacy notices, lawful processing bases, and personal data uses and sharing in light of the GDPR, as many have not to this point. The ICO is in the midst of evaluating practices within the advertising industry, in keeping with the view announced in its 2018-2021 Technology Strategy that web and cross-device tracking is one of its three “priority areas” for the current period.  The report’s findings:

  • pointed out deficiencies in publishers’ transparency practices, such as not specifically naming third party recipients of personal data collected on the basis of consent; 
  • adjudged that “special categories” of personal data included in targeted programmatic auction bid requests (e.g., inferred ethnic, health, sexual orientation or political audience segments associated with specific cookie or other unique identifiers bid on by advertisers) are regularly being processed unlawfully by ad tech companies due to failure to obtain explicit consent from data subjects; 
  • clarified that consent–rather than legitimate interests–is not only required for the placement or accessing of cookies or similar tracking technologies on an end user’s device (under the U.K.’s PECR rules implementing the EU’s “ePrivacy” Directive), but is also generally the appropriate lawful processing basis for the real-time bidding transactions that underpin the programmatic auctions between buyers and sellers of ad spaces for targeted advertising; and
  • noted that “the ICO has published [pursuant to GDPR Article 35(4)] a list of processing operations likely to result in…high risk, for which [Data Protection Impact Assessments] are mandatory, [and] RTB matches a number of examples on this list,” resulting in the conclusion that RTB-involved “organizations are therefore legally required to perform DPIAs.”

The ICO’s report identified areas where it has concerns and expects to see changes, but it also articulated a recognition that the ad tech sector is “an extremely complex environment” that does not change overnight.  With this in mind, the ICO indicated that it seeks to “take a measured and iterative approach, before undertaking a further industry review in six months’ time.”  

>> Download TrustArc Cookie Consent Privacy Advisory now for free!

CNIL’s Change of Consent Interpretation and Timeline. Next, the French privacy regulator, the CNIL, announced on June 28th that in light of a rise in complaints and requests related to online marketing, it has devised an action plan for the next year making “targeted online advertising a priority topic for 2019.” Part of this plan will be the release this month of new guidelines that will rescind the CNIL’s 2013 interpretation that continued navigation of a website could be understood as an expression of an end user’s consent to the placement of website cookies or similar tracking technologies. The CNIL indicated that it will give stakeholders a transitional period of 12 months during which “scrolling down, browsing or swiping through a website or application will still be considered by the CNIL as acceptable.” Still, the CNIL will regularly investigate matters of transparency, withdrawal of consent, security obligations and more, including instances when cookies are impermissibly set before consent is collected for ePrivacy purposes. The CNIL’s calendar lists its tentative schedule for cookie-related matters as follows:

  • May – June 2019: Update of the CNIL standards to align with the GDPR (i.e., update of the CNIL’s 2013 interpretation of consent for cookies);
  • June – Sept 2019: Stakeholder working group to test the operational consistency of the guidelines;
  • November 2019: Results of work
  • End of 2019 – Early 2020: Publication of new guidelines for cookies
  • June – July 2020: End of the grace period, entities must comply with the rules of the new guidelines.

UK ICO’s New Guidance on Cookies. On July 3rd, the ICO regulator announced that it had published new, detailed guidance covering the use of cookies and similar tracking technologies on websites and other terminal equipment. The ICO’s guidance is intended to facilitate compliance with the Privacy and Electronic Communications Regulations (PECR, the U.K.’s transposition into local law of the EU’s “ePrivacy” Directive) and the GDPR, firstly setting forth the distinctions and relationship between those legal regimes, and further providing context and nuance around cookies, consent and transparency.

Cookie Consent and Transparency. The ICO’s guidance confirms that if using cookies, the operator of an online service must inform users of what cookies will be set, explain what the cookies do, and obtain consent to storing cookies on a device before doing so. Moreover, if using any third party cookies, the operator must clearly and specifically name who the third parties are and explain what they will do with the information. Exempted from these requirements are cookies needed to transmit a communication over an electronic communications network, as well as cookies that are “strictly necessary” to provide a service or site requested by the user. 

Lawful Processing Basis. Whereas PECR addresses the storing or accessing of information on users’ browsers and devices by requiring consent as a prerequisite to doing so, the GDPR (and its six possible lawful processing bases under Article 6) governs the processing of any personal data gained from cookies. In its guidance, the ICO recognizes that “it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies,” but separately states that, “trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.” 

The regulator also noted that any data processing involving analyzing or predicting preferences or behavior, or tracking and profiling for direct marketing and advertising purposes, will in most cases require consent as the lawful processing basis. Also confirmed is that “consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices,” although the ICO concedes that the setting of a first party analytics cookie “results in a low level of intrusiveness and low risk of harm to individuals,” and that “it is unlikely that priority for any formal action would be given” to such instances.

Cookie Audits and Banners. The ICO also emphasizes the utility of performing comprehensive “cookie audits” to detail what cookies are being used on a site and to discern which of them comprise “strictly necessary” first and third party cookies versus those which do not. The guidance likewise addresses forms of notice and means of consent, including prominently displayed cookie banners that provide clear information about cookies and user control options to allow or disallow those that are non-essential. 

It further notes that the blanket use of “cookie walls,” which require users to agree or accept the setting of non-strictly necessary cookies before the user can access the rest of the site’s content, will generally amount to invalid consent because the user lacks a genuine choice other than to acquiesce in order to use the site. Lastly, the ICO declined to specify how often consent should be obtained from users, noting that this is dependent on a number of factors such as frequency of visitors or updates of content or functionality. 

How TrustArc Helps

TrustArc offers the leading technology solutions in the cookie consent space with our  Website Monitoring Manager and Cookie Consent Manager

For product demonstrations or more information on how we can help your organization, contact TrustArc today!

Update: EU-U.S. Data Transfer Mechanisms Legal Challenges

As previously described on the TrustArc Blog (“ Privacy Shield Approaching Its 3 Year Anniversary”, the European Union (EU)-U.S. Privacy Shield Framework has received two successive annual approvals from the European Commission (EC) since its July 2016 adoption, and currently serves as an EU-to-U.S. personal data transfer mechanism for more than 4,700 U.S. organizations.

Separately, pre-approved standard contractual clauses (SCCs), the most recent version of which was issued in 2010, are also recognized by the EC as valid transfer mechanisms to non-European Economic Area “third countries.” On June 13th, the European Commissioner for Justice and Consumers confirmed in a speech that SCCs are in the process of being updated for the post-GDPR world: “We are already working to modernise standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”

This update to SCCs is occurring concurrently with a legal action challenging the validity of SCCs as a transfer mechanism to the United States, in a case brought against Facebook Ireland by Austrian privacy advocate Maximillian Schrems. The case, dubbed Schrems II?—following the 2015 decision of the European Court of Justice (ECJ) that resulted in the invalidation of the EU-U.S. Safe Harbor Agreement on grounds that it did not provide EU citizens with protections “essentially equivalent” to that of the EU due to U.S. intelligence agencies’ surveillance practices, and thus that any EU-to-U.S. personal data transfers made on that basis were not legal–proceeds to oral arguments before the ECJ on July 9th. In this case, the Irish High Court has referred eleven questions to the ECJ relating to whether entering into SCCs, by itself, provides an adequate level of data protection for EU personal data transferred to the U.S. The Irish Supreme Court recently dismissed Facebook’s appeal of the Irish High Court’s decision to refer these items to the ECJ.

Meanwhile, the EU-U.S. Privacy Shield Framework is similarly undergoing a legal challenge on grounds that the United States does not adequately protect EU citizens’ personal data by virtue of U.S. intelligence agencies’ activities. The case, brought by three French non-governmental organizations, seeks to revoke Privacy Shield as a valid EU-to-U.S. personal data transfer mechanism as occurred with Safe Harbor in Schrems I. On July 1-2, the NGOs will argue before the General Court of the EU that Privacy Shield is not “essentially equivalent” to EU data protection law, even if it is more protective than Safe Harbor was. The losing party in this matter could then appeal to the ECJ for a final determination.

Decisions in both matters are expected within a year or less. It is unclear what effect, if any, the entry into force of new European Commission-approved SCCs would have on the ripeness of the case if introduced prior of the ECJ’s Schrems II ruling. Moreover, in the event the ECJ were to eventually invalidate both SCCs and Privacy Shield–the latter of which was specifically drafted by EU and U.S. officials to withstand judicial scrutiny—it is uncertain what course of action most organizations–small and medium-sized enterprises in particular—would undertake to effectuate their data transfers. With binding corporate rules (BCRs) and reliance on derogations such as explicit consent for cross-border data transfers being expensive, time-consuming or disfavored options for many businesses, it remains to be seen what effect on digital commerce such legal actions would have in practice (including with respect to data transfers to the U.K., in the event of an eventual “Brexit”). TrustArc will continue to follow developments closely and will provide regular updates.

This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform. To learn how you can get full access to the daily newsfeed, contact us today!

Upcoming Webinar: What New U.S. State Privacy Laws Mean for your Business


TrustArc is proud to present the next Privacy Insight Series webinar “What New U.S. State Privacy Laws Mean for your Business” with TrustArc Principal Consultant and Director EMEA Ray Everett and Internet Law Center Founder Bennet Kelley.

This webinar will take place on Tuesday, June 11th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about how U.S. state privacy laws will impact your business – register today!

While the focus over the past two years has been around global privacy regulations such as the EU GDPR regulation, individual US states have been proposing — and enacting — a number of privacy-impacting laws that may affect your company in new and challenging ways. From the comprehensive California Consumer Privacy Act (CCPA) to the revisions in data breach laws in Colorado, Oregon and Vermont, it can be difficult to track these changes, and even more difficult to build a compliance program with the flexibility to adapt to the constantly changing environment.

This webinar will provide:

  • An overview of major new U.S. state privacy laws and important pending legislation
  • An update on the discussions and atmospherics around a comprehensive US privacy law
  • Recommendations on incorporating U.S. state privacy law compliance into a global privacy risk management program

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar.

TrustArc publishes a broad range of privacy educational resources, including research reports, benchmark statistics, solutions briefs, product updates, webinars, workshops and much more. Check out the following resources on hot topics including CCPA, GDPR, Vendor Risk Management, DSAR Best Practices, Cookie Consent, and much more. Register for the free TrustArc Privacy Insight Series subscription and find out why over 20,000 privacy professionals per year take advantage of TrustArc privacy education resources.

Privacy Shield Approaching Its 3 Year Anniversary in Operation


With data protection-related activity bustling around the world–from “Brexit” and GDPR enforcement to the approaching CCPA and exciting developments in the APAC region–it’s understandable to lose track of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

What follows are responses to the most frequent Privacy Shield inquiries TrustArc is hearing from our customers.

Is Privacy Shield Still Valid?

Yes – in fact, Privacy Shield is fast approaching its three year anniversary on July 12th. Since its 2016 adoption, Privacy Shield has remained a sound, scalable and steady legal transfer mechanism for U.S. entities seeking to receive personal data from the EU and/or Switzerland (with two successive approvals from the European Commission’s annual review process).

What Happened with the Earlier EU Parliament Rumblings and the Successful Annual Reviews?

While the EU Parliament had indicated concerns with the Privacy Shield arrangement–the Parliament actually does not have the authority to determine the adequacy of the Privacy Shield program. This authority is reserved exclusively for the European Commission (EC).

In July of last year the EC’s Justice Commissioner stated that a Parliament-requested suspension was “not warranted,” and further indicated that Privacy Shield is of “vital importance” to commerce and has “vigorous data protection requirements.”

Moreover, in its December 2018 report to the European Parliament and Council, the EC concluded that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield,” while further noting the improvements to Privacy Shield’s functioning since its previous annual review, along with steps it will continue to monitor.

Did the GDPR Replace Privacy Shield?

No – personal data transfers outside of the European Economic Area (EEA) are a key component of GDPR and Privacy Shield provides a way for U.S. organizations to address this, as Privacy Shield represents the European Commission’s determination that the United States provides an acceptable level of data protection essentially equivalent to that of the EU.

Would Brexit Invalidate Privacy Shield?

No – with the deadline for the United Kingdom to exit the European Union having been extended to October 31st, EU law will remain applicable in the U.K. until such an exit takes place–with Privacy Shield continuing to apply to U.K. personal data as it always has.

In the event the U.K. does leave, two scenarios are possible for Privacy Shield participants, as the U.S. Department of Commerce has addressed in a set of FAQs. Either an existing “transition period” will be agreed upon by the U.K. and EU, during which EU data protection law (and Privacy Shield) will continue to apply; or, in the event of a “no-transition period” immediate exit, Privacy Shield participants will need to update their privacy notice(s) to include reference to also relying on Privacy Shield for transfers from the U.K.  Regardless of which scenario may ultimately play out, the status of the EU-U.S. Privacy Shield Framework will remain unchanged.

Lastly, where a participant had selected the EU Data Protection Authority panel for dispute resolution purposes, in the event of an exit, the organization would have to instead cooperate with the U.K. ICO for U.K. residents’ complaints.

What Does It Mean that Standard Contractual Clauses Are Being Challenged in Court?

Pre-approved model or standard contractual clauses (SCCs), the existing versions of which pre-date the GDPR, are also recognized under GDPR as a valid data transfer mechanism to non-EEA “third countries.”  According to the U.K. ICO, the European Commission plans to update the existing SCCs for GDPR alignment, but until such amendment or replacement the existing SCCs remain in force and usable.  However, the validity of current SCCs as a transfer mechanism to the U.S. is currently being challenged in the European Court of Justice in a case brought by Austrian privacy advocate Maximilian Schrems.

The eventual conclusions around questions considered by the Court theoretically could invalidate SCCs as a EU-to-U.S. data transfer mechanism, and could also impact the status of the Privacy Shield Framework.

However, most critically, the Privacy Shield Framework itself was developed in direct response to the requirements outlined by the European Court of Justice in response to a previous case brought by Schrems which invalidated the Safe Harbor program.  Compliance with these new requirements was assessed and approved by the European Commission as a condition of its successful adequacy determination, which as noted earlier, has been reaffirmed in two successive reviews by the Commission.

Are There Differences Between Privacy Shield and SCCs?

Yes — whereas Standard Contractual Clauses (SCCs) are transactional-based and apply only as-between the specific parties signing them, an organization’s Privacy Shield self-certification is applicable to the receipt of any EU/Swiss personal data flows.  This can save time and cost for businesses (especially for SMEs and start-ups). Privacy Shield also affords individuals an independent recourse mechanism, which is beneficial for consumers, partners and employees.

In light of the above, Privacy Shield continues its status as a Commission-supported option for U.S. businesses seeking an established, cost-effective, scalable and agile means of protecting and receiving personal data from the EU and Switzerland.

For further information, including how your company can undertake a formal verification of its privacy program against the Privacy Shield Frameworks’ Principles, contact TrustArc today.


Upcoming Webinar: 10 Steps to CCPA Compliance – Building and Implementing a CCPA Privacy Program


TrustArc is proud to present the next Privacy Insight Series webinar “10 Steps to CCPA Compliance – Building and Implementing a CCPA Privacy Program” with WilmerHale Partner / Big Data Practice Co-Chair Reed Freeman and TrustArc Senior Privacy Consultant Janalyn Schreiber, CIPM, CISSP. This webinar will take place on Wednesday, April 17th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about the California Consumer Privacy Act (CCPA) – register today!

The CCPA is set to be the toughest privacy law in the United States and a trailblazer for future state and potentially federal legislation. The Act expands the rights of consumers and requires businesses falling within its scope to be significantly more transparent about how they collect, use, and disclose personal information. Any business in scope are required to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the January 1, 2020 deadline – which is less than 9 months away!.

This webinar will review:

  • 10 step plan to reach CCPA compliance by the end of the year
  • Key CCPA areas still under discussion and feedback from open forums
  • How CCPA enforcement will work; private action and regulator enforcement

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar! Click here for answers to the most commonly asked webinar related questions.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!

Learn more about TrustArc CCPA compliance solutions here

Understand and Mitigate Your Vendor Privacy Risks


While working with vendors and third parties is an inherent part of doing business and they provide tremendous value and opportunity – vendors also present significant risks. These risks are of growing concern, particularly when it comes to data privacy and security. Forrester states, “The repercussions of security incidents across the value chain, as well as the EU General Data Protection Regulation’s (GDPR’s) more stringent compliance requirements, make managing third-party risk a top priority for S&R [security and risk] pros.1

And you don’t have to look far to find examples in the news of data breaches that vendors caused. Forrester research also found, as shown in the below Figure 1, that third-party attack or incident caused 21% of confirmed security breaches in 2018.2


Additionally, the cost of data breaches is estimated by Ponemon to be between $750,000 and $35 million3 with the global average cost in 2018 at $3.86 million and increasing each year.4 On top of the monetary costs for fines related to a breach, it’s important to consider other critical factors in calculating the true cost of a breach. For example, these may include damage to the company’s brand, loss of trust with customers and potential lawsuits and regulatory actions following breaches.

In addition, privacy laws and regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Whether you are focused on GDPR, the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), EU Privacy Shield or a combination of different frameworks, one of the most important components of your privacy and security risk management program is to understand how your vendors are handling your data and whether they too can maintain compliance.

The privacy experts at TrustArc recommend that you expand your vendor management approach to address privacy and security. It’s important that your vendors:

  • Demonstrate privacy and data protection awareness from the beginning of the relationship
  • Complete privacy and security assessments
  • Comply with regulatory and internal privacy and security governance
  • Implement and maintain terms of a Data Processing Agreement (DPA)

In addition, the TrustArc Vendor Risk Management solution provides a centralized place and method to collect, maintain and track critical data for ongoing vendor management. The solution, powered by the TrustArc Platform, enables companies to assess vendors, evaluate and monitor vendor risk, track vendor status and report on key compliance metrics. Our experienced privacy consultants are available to help you understand your regulatory environment and risks; design your vendor management program; define your risk scoring model and vendor prioritization; develop policies and procedures and more.

To learn more about how to minimize vendor risk, vendor management best practices and how to build a successful vendor management program read our Vendor Risk Management Guide.

To learn more about the TrustArc Vendor Risk Management solution, visit

[1] Manage Third-Party Risk to Achieve and Maintain GDPR Compliance. Forrester. April 2018.

[2] The State Of Data Security And Privacy: 2018 To 2019. Forrester. December 2018.

[3] Royal, K. Third-Party Vendor Management Means Managing Your own Risk.

[4] Shepard, Sydny. The Average Cost of a Data Breach. Security Today. July 17, 2018.