UK ICO and French CNIL Increase Activity Around Cookies and Consent Practices

Perhaps the only thing higher than temperatures this summer in the European Union is the level of regulatory attention being paid to data-driven advertising and website cookie practices (including similar tracking technologies within mobile applications and other non-browser environments, collectively referred to here as “cookies”). This TrustArc blog post summarizes the major announcements and publications regulators have issued over the last few weeks, including what is expected to follow–and how TrustArc helps.

UK ICO Report on Ad Tech, RTB and Privacy. First, the United Kingdom’s Information Commissioner’s Office (ICO) released on June 20th an “Update Report Into Adtech and Real Time Bidding,” which concluded that advertising technology-related entities and those involved in real time bidding (RTB) should reassess their privacy notices, lawful processing bases, and personal data uses and sharing in light of the GDPR, as many have not to this point. The ICO is in the midst of evaluating practices within the advertising industry, in keeping with the view announced in its 2018-2021 Technology Strategy that web and cross-device tracking is one of its three “priority areas” for the current period.  The report’s findings:

  • pointed out deficiencies in publishers’ transparency practices, such as not specifically naming third party recipients of personal data collected on the basis of consent; 
  • adjudged that “special categories” of personal data included in targeted programmatic auction bid requests (e.g., inferred ethnic, health, sexual orientation or political audience segments associated with specific cookie or other unique identifiers bid on by advertisers) are regularly being processed unlawfully by ad tech companies due to failure to obtain explicit consent from data subjects; 
  • clarified that consent–rather than legitimate interests–is not only required for the placement or accessing of cookies or similar tracking technologies on an end user’s device (under the U.K.’s PECR rules implementing the EU’s “ePrivacy” Directive), but is also generally the appropriate lawful processing basis for the real-time bidding transactions that underpin the programmatic auctions between buyers and sellers of ad spaces for targeted advertising; and
  • noted that “the ICO has published [pursuant to GDPR Article 35(4)] a list of processing operations likely to result in…high risk, for which [Data Protection Impact Assessments] are mandatory, [and] RTB matches a number of examples on this list,” resulting in the conclusion that RTB-involved “organizations are therefore legally required to perform DPIAs.”

The ICO’s report identified areas where it has concerns and expects to see changes, but it also articulated a recognition that the ad tech sector is “an extremely complex environment” that does not change overnight.  With this in mind, the ICO indicated that it seeks to “take a measured and iterative approach, before undertaking a further industry review in six months’ time.”  

>> Download TrustArc Cookie Consent Privacy Advisory now for free!

CNIL’s Change of Consent Interpretation and Timeline. Next, the French privacy regulator, the CNIL, announced on June 28th that in light of a rise in complaints and requests related to online marketing, it has devised an action plan for the next year making “targeted online advertising a priority topic for 2019.” Part of this plan will be the release this month of new guidelines that will rescind the CNIL’s 2013 interpretation that continued navigation of a website could be understood as an expression of an end user’s consent to the placement of website cookies or similar tracking technologies. The CNIL indicated that it will give stakeholders a transitional period of 12 months during which “scrolling down, browsing or swiping through a website or application will still be considered by the CNIL as acceptable.” Still, the CNIL will regularly investigate matters of transparency, withdrawal of consent, security obligations and more, including instances when cookies are impermissibly set before consent is collected for ePrivacy purposes. The CNIL’s calendar lists its tentative schedule for cookie-related matters as follows:

  • May – June 2019: Update of the CNIL standards to align with the GDPR (i.e., update of the CNIL’s 2013 interpretation of consent for cookies);
  • June – Sept 2019: Stakeholder working group to test the operational consistency of the guidelines;
  • November 2019: Results of work
  • End of 2019 – Early 2020: Publication of new guidelines for cookies
  • June – July 2020: End of the grace period, entities must comply with the rules of the new guidelines.

UK ICO’s New Guidance on Cookies. On July 3rd, the ICO regulator announced that it had published new, detailed guidance covering the use of cookies and similar tracking technologies on websites and other terminal equipment. The ICO’s guidance is intended to facilitate compliance with the Privacy and Electronic Communications Regulations (PECR, the U.K.’s transposition into local law of the EU’s “ePrivacy” Directive) and the GDPR, firstly setting forth the distinctions and relationship between those legal regimes, and further providing context and nuance around cookies, consent and transparency.

Cookie Consent and Transparency. The ICO’s guidance confirms that if using cookies, the operator of an online service must inform users of what cookies will be set, explain what the cookies do, and obtain consent to storing cookies on a device before doing so. Moreover, if using any third party cookies, the operator must clearly and specifically name who the third parties are and explain what they will do with the information. Exempted from these requirements are cookies needed to transmit a communication over an electronic communications network, as well as cookies that are “strictly necessary” to provide a service or site requested by the user. 

Lawful Processing Basis. Whereas PECR addresses the storing or accessing of information on users’ browsers and devices by requiring consent as a prerequisite to doing so, the GDPR (and its six possible lawful processing bases under Article 6) governs the processing of any personal data gained from cookies. In its guidance, the ICO recognizes that “it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies,” but separately states that, “trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.” 

The regulator also noted that any data processing involving analyzing or predicting preferences or behavior, or tracking and profiling for direct marketing and advertising purposes, will in most cases require consent as the lawful processing basis. Also confirmed is that “consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices,” although the ICO concedes that the setting of a first party analytics cookie “results in a low level of intrusiveness and low risk of harm to individuals,” and that “it is unlikely that priority for any formal action would be given” to such instances.

Cookie Audits and Banners. The ICO also emphasizes the utility of performing comprehensive “cookie audits” to detail what cookies are being used on a site and to discern which of them comprise “strictly necessary” first and third party cookies versus those which do not. The guidance likewise addresses forms of notice and means of consent, including prominently displayed cookie banners that provide clear information about cookies and user control options to allow or disallow those that are non-essential. 

It further notes that the blanket use of “cookie walls,” which require users to agree or accept the setting of non-strictly necessary cookies before the user can access the rest of the site’s content, will generally amount to invalid consent because the user lacks a genuine choice other than to acquiesce in order to use the site. Lastly, the ICO declined to specify how often consent should be obtained from users, noting that this is dependent on a number of factors such as frequency of visitors or updates of content or functionality. 

How TrustArc Helps

TrustArc offers the leading technology solutions in the cookie consent space with our  Website Monitoring Manager and Cookie Consent Manager

For product demonstrations or more information on how we can help your organization, contact TrustArc today!

Upcoming Webinar – Pragmatic Consent Management: Meeting Compliance and Business Needs

TrustArc is proud to present the next Privacy Insight Series webinar “Pragmatic Consent Management: Meeting Compliance and Business Needs” with TrustArc Consulting Program Director Margaret Alston and TrustArc Senior Privacy Consultant Jim Keese. This webinar will take place this Wednesday, March 20th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about managing consent – register today!

As the dust settles on the first wave of GDPR implementation initiatives, businesses are left with a multitude of questions. Is implementing a simple cookie banner enough? How can I manage consents across multiple systems? How can I ensure our policies are being implemented? Do I really need a “Do Not Sell” button to comply with CCPA? Will all this change under the ePrivacy Regulation anyway? What kind of records do I need if a regulator asks?

As a privacy professional or a marketer, you’re responsible for advising the business and working through the realities of balancing compliance with ongoing demand for data-driven insights and growth. Join this webinar for a playbook of key tips and guidance to help you juggle these requirements with ease and understand what’s required and what’s open to interpretation.

This webinar will outline:

  • Consent requirements under key regulations including GDPR and CCPA
  • Key considerations and decisions for the business to take
  • Tools to support universal consent management

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar! Click here for answers to the most commonly asked webinar related questions.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!

TrustArc Participates at California Lawyers Association IP Institute


On November 8th in sunny San Jose, TrustArc was pleased to take part at the California Lawyers Association’s annual IP Institute.  Speaking on a panel entitled GDPR: Lessons Learned from the Front Line, TrustArc shared tips and insights both for organizations still working towards GDPR compliance, and for those seeking to take their privacy programs to the next level, including for interoperability with other global privacy laws and frameworks.

Not lost in the discussion was the fact that many law firms, of all sizes, are likewise still looking to their own GDPR/privacy compliance, which is critical to their being viewed as trustworthy stewards of confidential client information.

During a discussion-based panel with lively audience questions, TrustArc Senior Counsel, Darren Abernethy, offered observations for companies and law firms based on TrustArc’s unique position in the privacy and data protection ecosystem–as a provider of privacy technology platform solutions, privacy consulting services, and certifications/verifications.  

Some of the practical topics discussed included:

  • Tips around successful internal data protection preparation strategies seen with TrustArc customers–from identifying privacy stakeholders to updating contracts.
  • The criticality of thinking through all of an organization’s business process activities in order to map data flows and prepare GDPR Article 30 records of processing–while automating risk evaluations for possible Article 35 data protection impact assessments (DPIAs).
  • Individual rights management issues, tips on setting up a program for data subject access requests (using centralized technology to do so), and verifications.
  • Likely early GDPR enforcement issues from EU authorities, and how regulators around the world keep track more than ever of their counterparts’ privacy actions.
  • How to manage records of consent across an org, whether via webform, cookie consent or other methods, such as in the Internet of Things environment.  And, how consent records are increasingly important in mergers & acquisitions.

To learn more about how TrustArc can assist your company with technology solutions, consulting, privacy assurance programs, or the California Consumer Privacy Act contact TrustArc today for more information or to set up a demo.

GDPR Compliance – Consent Requirements under the GDPR – Marketing Activities

Choice and Checkboxes

Companies that must comply with the GDPR should take a close look at their marketing processes to ensure that they will meet GDPR requirements. The following three examples are key places where most companies should take another look at their processes with regard to GDPR consent requirements.

Marketing Outreach Email Programs

Most companies’ marketing departments have outreach programs where a large database of clients and prospects are sent emails with information about new products or services. If individuals have unsubscribed, opted out, or otherwise indicated their desire that your organization stop using their personal information, your organization may not contact them to seek their consent to marketing. Art. 21(3) further states: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

Even under the outgoing EU Data Protection Directive and related national legislation, the U.K. ICO last year fined multiple companies that sent emails to individuals who had already opted-out of marketing emails–asking those same individuals to update their marketing preferences, including whether they wanted to opt-in to receiving future marketing messages. As the ICO stated: “Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law…businesses must understand they can’t break one law to get ready for another.”

“Stale” Consent

There is a lot of buzz around “stale” consent. “Stale consent” is consent that was previously obtained (e.g., under the standards of the existing Data Protection Directive and its national implementing legislation) but which does not meet the GDPR’s new standards for consent.

For instance, if your marketing department used to have pre-ticked boxes for people to receive newsletter updates when they filled out a form to download a whitepaper, that previously obtained consent may not satisfy the clear, affirmative action requirement under the GDPR.

Organizations should evaluate their previous and existing methods of obtaining informed consent, and for any instances that do not satisfy GDPR standards, seek to obtain GDPR-compliant consent from those legacy individuals–or else no longer use the earlier, acquired personal data. This requesting of consent from individuals whose previously obtained consent did not meet GDPR standards is what is referred to as a “re-permissioning” or “re-engagement” campaign. A recent ICO blog post noted, “Before sending emails consider what the most effective way is to reach your customer – it may not be email. Consider a data protection by design approach – where can this information be embedded to have the best impact.

Webinars, webcasts, and workshops

Whatever your company may call them, chances are your company offers webcasts. Oftentimes companies partner up to offer broader expertise on the topics being presented.

While companies may continue to partner with others, they should first obtain clarity–based on the facts of the given situation–as to their status as data controllers, data processors, or joint controllers. Provided individuals are made specifically aware of all parties collecting and using their personal information, and this and the proposed uses of the personal data are actively agreed to by the individual, data obtained through partnerships can be validly used.

TrustArc Direct Marketing Consent Manager

TrustArc Direct Marketing Consent Manager helps companies meet GDPR consent requirements for activities such as promoting products and services, surveys, newsletter subscriptions and other marketing activities.

To find out more about how TrustArc can help your company meet the consent requirements for GDPR, click here to find out more, or contact us.

Can You Legally do Analytics Under the GDPR?

Anonos Logo

by Gary LaFever, CEO of Anonos
Taking the “personal” out of Personal Data®

Many companies aren’t yet aware that they are or will be doing anything wrong processing analytics or using historical data bases under the GDPR. While many companies are understandably focused on conducting data inventories and data protection impact assessments, it is critical to note that inventories and assessments will not support new legal bases required under the GDPR for processing data analytics or for using historical databases involving EU personal data.

An important aspect of the GDPR is the new requirement that “consent” must be specific and unambiguous to serve as a valid legal basis. In order for “consent” to serve as lawful basis for processing personal data, it must be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”[1] These GDPR requirements for specific and unambiguous consent are impossible to satisfy in the case of iterative data analytics where successive analysis, correlations and computations are not capable of being described with specificity and unambiguity at the time of consent. In addition, the GDPR has no “grandfather” provision allowing for continued use of data collected using non-compliant consent prior to the effective date of the GDPR.

To lawfully process data analytics, and to legally use historical databases, containing EU personal data, new technical measures that support alternate (non-consent) GDPR-compliant legal bases are required. After May 25, 2018, companies that continue to rely on consent for analytics, AI and use of historical databases involving EU personal data will be noncompliant with GDPR requirements and therefore subject themselves, as well as co-data controller and data processor partners,[2] to the risk of well-publicized fines of up to 4% of global turnover or 20 Million Euros, whichever is greater. The good news is that new technical requirements under the GDPR – Pseudonymisation and Data Protection by Default – help to satisfy alternate (non-consent) legal bases[3] for data analytics and use of historical databases involving EU personal data.

GDPR-Compliant Pseudonymisation

The GDPR embraces a new risk-based approach to data protection and shifts the primary burden of risk for inadequate data protection from individual data subjects to corporate data controllers and processors. Prior to the GDPR, the burden of risk was born principally by data subjects because of limited recourse against data controllers and the lack of direct liability for data processors.

The GDPR recognizes that static (persistent) purportedly “anonymous” identifiers used to “tokenize” or replace identifiers are ineffective in protecting privacy. Due to increases in volume, variety and velocity of data combined with advances in technology, static identifiers can be linked or readily linkable due to the Mosaic Effect[4] leading to unauthorized re-identification of data subjects. Continued use of static identifiers by data controllers and processors inappropriately places the risk of unauthorized re-identification on data subjects. However, the GDPR encourages data controllers and processors to continue using personal data by implementing new technical measures to “Pseudonymise” [5] data to reduce the risk of unauthorized re-identification. GDPR compliant Pseudonymisation requires separation of the information value of data from the means of linking the data to individuals. In contrast to static identifiers which are subject to unauthorized relinking via the Mosaic Effect, dynamically changing Pseudonymous identifiers can satisfy requirements to separate the information value of personal data from the means of attributing the data back to individual data subjects.

Data Protection by Default

The GDPR imposes a new mandate to provide Data Protection by Default,[6] which goes further than providing perimeter only protection and is much more than merely “privacy by design.” It is the most stringent implementation of privacy by design. Data Protection by Default requires that data protection be applied at the earliest opportunity (e.g., by dynamically Pseudonymizing data) and requires that steps be affirmatively taken to make use of personal data. This is in stark contrast to common practices prior to the GDPR, when the default was that data was available for use and affirmative steps had to be taken to protect the data. Data Protection by Default requires granular, context sensitive control over data when it is in use so that only the data proportionally necessary at any given time, and only as required to support each authorized use, is made available.

GDPR Technical Requirements and Data Stewardship

Prior to the GDPR, risks associated with not fully comprehending broad grants of consent were borne by individual data subjects. Under the GDPR, broad consent no longer provides sufficient legal basis for data analytics or use of historical databases involving personal data. As a result, data controllers and processors must adopt new technical safeguards to satisfy an alternate legal basis. GDPR requirements may be satisfied by complying with new Pseudonymisation and Data Protection by Default requirements to help support alternate (non-consent) legal bases for analytics and use of historical databases.

Even in situations where a company is not required to comply with EU regulations, compliance with GDPR requirements for Pseudonymisation and Data Protection is evidence of state-of-the-art initiatives to serve as a good steward of data thereby engendering maximum trust with customers.

[1] See Recital 32 and Article 4(11).

[2] See Articles 26 and 82.

[3] See Articles 6(1)(b)-(f).

[4] The “Mosaic Effect” occurs when a person is indirectly identifiable due to a phenomenon referred to by the Article 29 Working Party as “unique combinations” where notwithstanding the lack of identifiers that directly single out of a particular person, the person is still “identifiable” because that information may be combined with other pieces of information (whether the latter is retained by the data controller or not) enabling the individual to be distinguished from others. See .

[5] See Article 4(5).

[6] See Article 25.