What exactly are cookies and similar technologies? When should you be asking for consent to ensure lawful use? Learn more about cookies and similar technologies, such as pixels and fingerprinting in this article.
What are cookies?
Does your organisation have a website? If so, no doubt you will be well aware of cookies and how useful they are to help target your ideal customers. For those of you that don’t know, cookies are small text files that are downloaded and stored on your device when you visit a website that uses them. They can then be used to present you with advertising suited to you, based on your browsing history.
Many of you will also be aware that consent must be obtained before using any cookies. The exception is if they are classed as essential cookies. For example, those which are needed to ensure your website works. An example would be cookies which remember the contents of your shopping basket.
What about similar technologies?
The law on cookies also applies to ‘similar technologies’. There is, perhaps, less awareness around ‘similar technologies’ but they include things like pixels. For example, perhaps you use email campaigns to promote your organisation. If you need to assess how successful each campaign is by looking at who opened the emails and when, you will be using pixels.
However, were you aware that the same rules apply to pixels as apply to cookies? This means that if you are going to use these pixels in your email campaigns, strictly speaking, you should be obtaining consent from the user. Therefore you might need two lots of consent, ie: consent to send the email and consent to use the pixel. As with cookies, this needs to be GDPR grade consent. This means it needs to be freely given, specific, informed, unambiguous and it must be given by a clear, affirmative action. Consent must also be as granular as possible. It must be as easy to withdraw as to give, and reference to it must not be buried deep in a privacy notice that nobody ever reads.
Do you ever recall being asked for consent for this when signing up to newsletters?
Another technique often used in marketing is fingerprinting. This has nothing to do with the police catching criminals using the fingerprints they left at a crime scene. This has to do with browser fingerprinting, which is a very accurate way of identifying users online by tracking their online behaviour. The information collected is subsequently used for targeted advertising.
Unlike cookies, no information is stored on your device. The information is collected from your device and stored externally. However, the rules still apply to this type of activity, which means, strictly speaking, that consent should be collected.
Do you ever remember being asked for consent for this type of activity?
Why worry? Who cares?
Many users are, perhaps, not bothered by this activity. They are pleased that they are being presented with a more personalised experience when they surf the net. Also, the thought of having to provide even more consents when already suffering from ‘consent fatigue’ is not something which fills many people with joy. From an organisation’s point of view, it may simply be seen as more red tape. Interestingly, it would seem that the Information Commissioner’s Office (ICO) have not yet removed the tracking pixel from their newsletter, although I am reliably informed that they are working on it!
In any event, the ICO announced a couple of months ago that it had resumed its investigations into the adtech industry, so I guess it will only be a matter of time before we see it start to take formal action for non-compliance. Now is the time to get your ducks in a row.
by Sandy May
Sandy is our Head of Data Protection Consultancy.
As a dedicated professional, Sandy has a detailed knowledge of not only the General Data Protection Regulation (GDPR), but other related legislation as well. This includes the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR). Find out more.