GDPR & Cookies

The GDPR makes specific reference to cookies in only one instance – Recital 30:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

A Brief History of Cookies

So let’s go back to first principles as cookies are one of the most misunderstood web ‘things’. The Internet Engineering Task Force Request For Comment (RFC) 2109 ‘HTTP State Management Mechanism’ from 1997 introduces the ‘Cookie’ and the ‘Set-Cookie’ to ‘carry state information between participating origin servers and user agents.’ This RFC also has a ‘Historical’ section (10) which is an interesting read and explains how the standard builds on the work started by Netscape. Additionally should you want to really know the history of HTTP Cookies I recommend reading ‘HTTP Cookies: Standards, Privacy, and Politics’ published in 2001 by David Kristol, one of the designers of RFC 2109.

Interestingly RFC 2109 refers to RFC 2068 Hypertext Transfer Protocol—HTTP/1.1. The main reason I find it interesting is because in the abstract HTTP is described as a ‘stateless’ protocol and RFC2109 introduces ‘state management’. Another thing I find interesting is that RFC 2068 was published in January 1997 and RFC 2109 was published in February 1997. This indicates the pace at which the Internet was developing at this time. The last ‘interesting’ observation I make on RFC 2109 is with regard to Sections 7 Privacy and Section 8 Security Considerations, even when this mechanism was first considered the designers could see that it had scope to be abused.

There was then an update from RFC 2109 to RFC 2965 in October 2000 and the last update as of today was to RFC 6265 in April 2011.

The Legal Bit – as was

Do you remember life on the web before those ‘This website uses cookies, by continuing you accept their usage’ banners and pop-ups? They are as a result of Directive 2009/136/EC Of The European Parliament And Of The Council, which amended Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

In the UK Directive 2009/136/EC was implemented by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which was laid before the UK Parliament on 5th May 2011 and became law on the 25th May 2011, this regulation was amending The Privacy and Electronic Communications (EC Directive) Regulations 2003.

If you look back at my question, asking if you remembered life on the web before those ‘This website uses cookies, by continuing you accept their usage’ banners and pop-ups? you will see that this is an example of an op-out, and this is because in Article 5(3) of Directive 2002/58/EC it states:

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

My challenge to you is have you ever bothered checking the cookies being served to you by web sites, and if you have what hoops did you have to jump through to opt-out of accepting those cookies?

Even the Information Commissioners Office (ICO) puts cookies on your system before you have the option to refuse them. I used Chrome because it has the Developer Tools which allows the user to monitor which cookies are being served in real time. I initially cleared the browsing data then went to https://ico.org.uk/ and was surprised to find the following cookies placed on my terminal as soon as the page loaded:

It is worth noting that even after I selected ‘Turn cookies off’ the civicCookieControl cookies continued to be served. This is because ‘This cookie is used to remember a user’s choice about cookies on ico.org.uk. Where users have previously indicated a preference, that user’s preference will be stored in this cookie.’ Why do they need to use a cookie to remember that you refused cookies? Because, as noted above, HTTP is stateless and cookies add a state management function for the session.

The Legal Bit – as nearly is

So that is how it worked under the old legislation, how is it going to work under the GDPR? Article 6 Lawfulness of processing states:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

So there are 6 conditions under which it may be lawful to process Personally Identifiable Information (PII). Thinking about cookies specifically:

Condition a could apply if the user gave consent, but looking at Recital 32:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

We see that when citing consent as the legal basis for the use of cookies the current opt-out model will not be compliant with the GDPR, the user MUST opt-in, before any cookies are used, and consent MUST be given for all the purposes to which the controller will use the data.

Condition b could apply when using a shopping basket on an e-commerce site, because the processor needs to track the content of your basket, and you are either in a contract, or about to enter into a contract with the vendor to purchase goods or services. However the retailer could not legitimately use the fact that you selected a product which was placed in your basket and then did not check out as a reason to serve you targeted adverts next time you visited the site.

Condition c could apply if used for fraud detection, security, or age verification as that is to enable a legal obligation on the part of the controller to be met.

Conditions d and e are unlikely to ever apply.

Condition f could apply if the data controller could demonstrate they have a legitimate purpose, however referring to Article 6 section 4 states:

Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

So in their Data Protection Impact Assessment (DPIA) the controller would need to make sure they have considered and documented their justification based on these conditions. Even if the controller believes they can justify the use of cookies through legitimate purposes Recital 70 states:

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

As an added wrinkle for cookies Recital 38 states:

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

How is the age of the person consenting to cookies to be confirmed?

My Opinion – for what its worth

So looking back at the ICO website, it is my belief that post May 25th they will only be able to set one cookie when you first arrive at the site, and that is to record that you have NOT consented to any cookies, and that first page you are served will be very different, as it will need to list all the cookies they would like to use and you will be required to check the box of every one that you consent to, and where a cookie is used for more than one purpose a separate check box will be required for each function due to Recital 43:

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Conclusion

And that, dear reader, is why this site does not use cookies. It is going to require a complete change of approach to make websites comply with the GDPR and use cookies.

Update

Because we are now using CloudFlare we have to use 1 cookie which is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID and does not store any personally identifiable information.