According to recent news, the ICO made new changes in the GDPR/PECR guidelines on cookie consent. To discuss the matter in more detail, ICO collaborated with a law partner firm Sheridans. The changes will go from cookie to legal basis of consent. They also made a proposition about why businesses must take a keen interest in handling personal data online.
Last month, huge fines imposed on the UK airlines British airways and an international hotel chain Marriot. These fine are the clear reflection of violation under GDPR which end up giving data of millions to the online fraudsters. Besides, the debate of the GDPR came into the spotlight when Facebook and Google received penalties and created history. They violated privacy regulations and reminded us, when Google Chrome, Apple Safari, and Mozilla Firefox, introduced a news setting and made stringent rules for handling personal data online.
The discussion on the cookies and data tracking held with depth following the introduction of Safari’s intelligent tracking prevention (ITP) and Google’s more recent privacy settings. In conclusion, they limited the storage of third-party and first-party cookies, and utterly confusing the regulation process for organisations.
Advertisers use a cookie to accumulate data about customers who browse online and purchase products of their interest. They also utilise the data to adapt ad targeting strategy and audience. But now strict rules have changed the situation and made the process of handling cookies have become more difficult. A single mistake can make businesses pay a massive amount.
In an open discussion on handling cookies, personal data and consent online, Eitan Jankelewitz, a partner at law firm Sheridans contributed by saying, “ The BA and Marriott breaches were the type of breaches we expect now – millions of consumer CRM profiles are missing, containing personal information and sometimes payment information. We need to expect these types of fines from now on.”
Legal basis of the consent
With the launch of GDPR in 2018, the legal basis of consent has put in force. And, businesses have become data controllers and data processors. A decision came out regarding the initial consent of the cookies on a legal basis. In an article, Jankelewitz mentioned the PerformanceIN that data tracking across various devices could take place on the legal basis of legitimate interest in few cases. The implementation of appropriate safeguards provides for lawful processing for attribution on a non-consent legal basis.
The ICO Guidelines
Consequently, if we analyse the criteria of ICO guidelines on data processing and cookie consent, the rules manifest that settling or cookie assessment, consent under PECR is required. Jankelewitz elaborated that, “The ICO cookie guidance places a lot of emphasis on the importance of consent – understandably because consent is required under PECR when setting or accessing all non-essential cookies. PECR doesn’t have a ‘legal basis’ concept like GDPR.”
Further, he added, “PECR means consent for storing and accessing cookies, even if legitimate interest is available under GDPR, PECR only ever deals with storing or accessing tracking technology on user devices. This is the point at which PECR stops applying and GDPR kicks in.”
The ICO indicates that if the cookies set do not get exempted from Regulation 6, then the business will be allowed to use consent as a legal basis. Jankelewitz stated that “The ICO guidance is interesting because it states that, where consent is required for a cookie under PECR, as a practical matter, consent should be the GDPR legal basis for subsequent processing of that data. Given that, the ICO tells us it is still getting to grips with the complexity of the industry. I question whether it is best to tell businesses what they would find most practical.”
What come may, the guidelines and regulations covering personal data and privacy cannot be ignored. ICO and PECR have rules integral for businesses, to make efficient strategies to hold personal data. The lawmakers say the processes must go legally if not, you will have to pay hefty fines.
A comprehensive solution
Seers UK helps organisations to handle the challenges of GDPR compliance. Our experts can help your firm with a variety of best-practice GDPR solutions, from evaluating your current state of compliance and developing a remediation roadmap, through to implementing a best-fit privacy compliance framework. Your compliance with our mission.