It was only a matter of time before we expected to see the first big fine for breaching the General Data Protection Regulation (GDPR) and within a week of the UK Information Commissioner's Office (ICO) updating its policy terms, two were issued. Last month saw both UK airline British Airways and international hotel chain Marriott induced with huge fines of £183 million and £99 million respectively for data breaches, which saw millions of customers’ personal data and information exposed to fraudsters online. In addition to recent fines issued to Google and Facebook for violating privacy regulations, this has no doubt brought the GDPR debate back into the spotlight at a time when browser sites such as Google Chrome, Apple Safari and Mozilla Firefox have introduced new features and settings to tighten the rules on how personal data is handled online.
So, why the discussion?
It is important to mention the Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act (DPA) and the GDPR. The regulation gives people specific privacy rights in relation to electronic communications. These include cookies, which are used to track information about people accessing a website or other electronic service. According to the rules, a business must inform people using their website that the cookies are there, explain what they’re doing and why, but most importantly, get the user’s consent to store a cookie on their device.
Cookies and data tracking has been discussed heavily following the introduction of Safari’s intelligent tracking prevention (ITP) and Google’s more recent privacy settings, which has all but limited the storage of third-party and first-party cookies, completely confusing the regulation process for businesses. Cookies are often used by advertisers to collect data about relevant customers who browse online and make product purchases and use the information to adapt their ad targeting strategies and audience. However, with the stricter rules now in place, the consent process of how cookies are handled has become more problematic. One mishap could lead to similar results as we’ve already seen with the ICO fines.
All of this has opened up a discussion of how businesses should be handling cookies, personal data and consent online, and has got the likes of the affiliate and performance marketing industry’s attention.
“The BA and Marriott breaches were the type of breaches we’ve come to expect – millions of consumer CRM profiles being lost, containing personal information and sometimes payment information. We need to expect these types of fines from now on,” said Eitan Jankelewitz, partner at law firm Sheridans.
PerformanceIN reached out to Jankelewitz from Sheridans who currently consults with a number of companies including global affiliate network Awin. He has kindly shared some of his thoughts on the latest developments from the ICO and what this could mean for businesses going forward.
Legal basis of consent
Since the role out of GDPR last year, the legal basis of consent when handling personal data has been put in place. Businesses have either taken the position as a data processor or data controller, using either consent or legitimate interest as a legal basis. According to the DPA, a data processor means a person who processes the data on behalf of the data controller whereas a data controller is someone who either alone or jointly with others determines the purposes for which and the manner in which the personal data is processed.
Then there’s the decision of the initial consent of cookies done on a legal basis. Jankelewitz previously mentioned in an article on PerformanceIN that tracking data across multiple devices can be done on the legal basis of legitimate interest in some cases, subject to the implementation of appropriate safeguards, which provides for lawful processing for attribution on a non-consent legal basis.
Although, if we take a further look at the criteria under the ICO guidelines on cookies and data processing, the rules indicate that settling or accessing cookies requires consent under PECR.
“The ICO cookie guidance places a lot of emphasis on the importance of consent – understandably because consent is required under PECR when setting or accessing all non-essential cookies. PECR doesn’t have a ‘legal basis’ concept like GDPR,” Jankelewitz explained.
Jankelewitz explained that as a more specific law, the regulation takes precedence over GDPR but overall doesn’t necessarily apply to the processing of cookies or the personal data derived from them beyond setting or accessing cookies.
“PECR means consent for storing and accessing cookies, even if legitimate interest is available under GDPR [...] PECR only ever deals with storing or accessing tracking technology on user devices. This is the point at which PECR stops applying and GDPR kicks in,” he added.
The ICO also outlines that if the cookies set aren’t exempt from Regulation 6, then the party business can only use consent as a legal basis – and this must be of the GDPR standard. This is the case whether or not personal data is involved.
“The ICO guidance is interesting because it states that, where consent is required for a cookie under PECR, as a practical matter, consent should be the GDPR legal basis for subsequent processing of that data,” said Jankelewitz; “Given that the ICO tells us it is still getting to grips with the complexity of the industry, I question whether it is best placed to tell businesses what they would find most practical.”
While the bulk of the discussion has been around the European protection authorities updating guidelines on cookies, consent and data processing, other regulations that are coming into play could see similar outcomes in the future.
For instance, the US is set to release its California Consumer Privacy Act on January 1, 2020. This will allow people to protect, take ownership and control over their personal data. While the guidelines are detailed and fairly complex, it’s certainly raising awareness, particularly for businesses where users are now the sole basis when it comes to handling and processing personal data. China currently holds the most internet users in the world and there are developments around managing the country’s data privacy.
Whichever way you look at it, the current guidelines and regulations surrounding personal data and privacy can no longer be ignored. GDPR is over a year old and the ICO and PECR have rules in place so it’s imperative for businesses, no matter the sector, to prepare and take matters seriously when it comes to handling personal data, and ensure that processes are managed legally or face significant fines in the long run.
“The ICO has recently invested a lot of energy learning how online ads work, mostly in RTB and programmatic, but also other channels too, like affiliate marketing. This can only be applauded, and the ICO is committed to continuing to learn about what can be particularly convoluted supply chains and very technical ways of working,” concluded Jankelewitz.