UK orgs urged to clean up cookies as enforcement heats up

Cookie law enforcement activity is putting pressure on organisations across Europe to ensure compliance with regulations. As a result, UK businesses have been urged to address their cookie compliance positions to avoid regulatory action and cybersecurity consequences.

In the EU, cookies are regulated by the General Data Protection Regulation (GDPR) and the so-called Cookie Directive (the latter in the process of being updated)—both of which can result in severe penalties for non-compliance and must be adhered to by UK organisations if they have a website presence and/or customers based in EU countries.

Cookie law enforcement pressures intensify

On May 31, Max Shrems’ pressure group My Privacy is None of Your Business (NOYB) announced possible action against 560 websites and the possibility of a further 10,000 complaints about cookie control panels, claiming that organisations in as many as 33 countries are failing to offer ‘deny all’ options or easy ways to withdraw consent for users. NOYB also cited privacy concerns about some vendors of cookie management tools. It stated that if the recipients do not comply with cookie laws within a month it will file formal complaints with the relevant European Data Protection Authorities (DPAs).

It is not only NOYB that is stirring the cookie law enforcement pot across Europe either. Last week, the Commission nationale de l’informatique et des libertés (CNIL) in France announced action against around 20 organisations (which has the potential to impact any UK organisation the DPA judges to be intent on targeting French visitors), whilst German regulators have also revealed a new data protection sweep exercise including a greater focus on cookie compliance.

Risks of cookie non-compliance

Jonathan Armstrong, tech/compliance lawyer and partner at Cordery, tells CSO that recent developments around cookie law enforcement are significant for UK organisations. According to Armstrong, whilst most businesses typically use software that enables them to comply with cookie laws, it often is not configured correctly. This leads to common non-compliance errors such as:

• Failing to provide sufficient prominence to a “reject all” button
• Not being transparent about the cookies used on a website
• Not having an adequate cookies policy and/or privacy policy
• Having unjustifiably long retention periods for cookies

The potential risks of cookie non-compliance for organisations under the GDPR and Cookie Directive are substantial, chiefly in the form of large monetary fines and/or costly class litigation. Recent cookie-related fines have been as high as €100m for Google and €35m for Amazon, both in France, and large, well-resourced civil action claims involving cookies and other technologies are  currently going through the courts.

There are also security implications to consider, Armstrong points out. “From an information security perspective, non-compliance may limit the tools the security team can use and/or mean that they need to be more fully disclosed,” Armstrong says. “As just one example, I’ve been advising a client who uses Cloudflare but didn’t disclose it on their website. One DPA has issued enforcement action over the use of Cloudflare, so companies will have to either (a) properly disclose Cloudflare and face possible regulatory action; (b) switch it off (which might leave them without protection against DDoS attacks if they don’t have a backup plan); or (c) try and engage with Cloudflare to make sure the use of Cloudflare is lawful and build up a pack of evidence for when a regulator, pressure group, or litigant knocks on their door. They might be able to do this quickly, but it will require some effort and investment, and of course they’ll need Cloudflare to co-operate.”

Steps to cookie compliance

Cookie law compliance should be high on the agenda for any business in the UK, Armstrong says, urging companies to critically assess the cookies they use on their websites. “Are they all needed? Can alternative technology do the same job? Have you agreed to all of the third-party cookies which are there?” he asks. “Businesses are going to have to invest in cookie transparency and education; some cookies are used for good—businesses will have to be able to explain what they use, how, and why.”

Ben Rapp, principal at privacy consultancy Securys, shares a similar notion, adding that organisations must take decisive action to ensure clear accept and reject options for users. “When you ask the question, it must be as easy to say no to all cookies (other than those that are necessary) as it is to say yes,” Rapp says. “You have to have accept all and reject all given the same emphasis and ease of access; you can also offer a more granular option to manage individual cookies according to preference. You can’t have customers reject all and then drop cookies anyway, which is what many companies are doing. Also, there is law coming that is likely to mean that you have to provide some minimum level of functionality without cookies.”

Addressing cookie retention periods and having a plan in place to deal with any threatened litigation are also important measures to take, Armstrong adds. “Furthermore, make sure that any cookie processing is included in subject access request responses (SARs),” he says. “Some litigants are making SARs to find out what you’re doing with cookies, and you’ll need to make sure that you look in the right places and that your response is consistent with the disclosures you make.”

Ultimately, there are two ways to approach privacy around cookies, says Rapp. “One is as an interesting legal challenge, ‘Can I find a way around this?’ and the other is ‘How can I protect the rights and freedoms of the data subject?’”

Enforcement across pressure groups like NOYB, DPAs, and court judgements to date have been clear—you’re supposed to respect the rights and freedoms of the data subjects, Rapp says. “Stop looking for cunning ways to construe the law that will allow you to do things any sensible person will recognise the law is intended to prevent. How is a data subject who cares about this stuff going to react? As a minimum, they’re not going to use your business anymore—but they might take the time to report you.”