Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. September 2019
  6. Cookies, consent and social media plugins

Cookies, consent and social media plugins

Corporate briefing: new guidance from the Information Commissioner’s Office clarifies that GDPR-standard consent is required for cookies and social media plugins that collect data from website users
9th September 2019 | Sophie Graham

It has been an eventful summer for the Information Commissioner’s Office, with headline fines and enforcement orders. One thing that may have slipped through the net for some website providers is the long-awaited update on cookies.

Cookies are small pieces of information employed by websites to track when a user visits their site. Providers use them to track browsing behaviour, user devices, user location, frequency of a user’s visits, and also to support shopping basket functions. Cookies can be “per session”, i.e. they are forgotten once you leave the site, or “persistent”, meaning they are stored on your device between sessions. Third-party cookies are set by a website or domain separate from the one being visited. These incorporate elements such as social media plugins, advertising or images.

The Privacy and Electronic Communications Regulations 2003 (“PECR”) govern the application of cookies, device fingerprinting and tracking technologies (whether or not personal data are being processed). They require website providers to tell users about cookies and give them the choice whether their information is stored in this way.

What has changed?

In reality, not much has changed; rather the interpretation has been clarified. PECR always required consent for non-essential cookies (i.e. not for the purpose of transmission of a communication, or being strictly necessary). Prior to GDPR coming into force, the criteria for consent were unclear, and a soft opt-in, or implied consent was deemed acceptable. With GDPR in force, PECR engages its criteria for consent, therefore implied consent is no longer acceptable. This means that blanket forms of consent, such as “By continuing to use this website, you consent to the use of cookies”, are no longer valid.

To recap, under GDPR, consent must be: informed; a clear affirmative action; granular; unbundled; and capable of being withdrawn. Website providers that employ non-essential cookies are also required to demonstrate that consent has been given.

The ICO’s recent guidance reinforces this, while clarifying that where you need consent to set non-essential cookies, your legal basis under GDPR will also be consent. Put another way, if you are relying on consent, you can no longer rely on any other legal basis to continue to employ non-essential cookies (and similar tracking technologies).

The ICO has a narrow interpretation of what constitutes “strictly necessary” cookies. 

For example:

  • cookies employed for security purposes (such as online banking) would be deemed strictly necessary, but not those of third parties;
  • anayltics and advertising cookies are not strictly necessary;
  • authentication cookies may be essential,
  • but login or persistent cookies are not;
  • cookies employed for streaming content could be deemed as strictly necessary, but not if they relate to personalisation or monitoring purposes.
  • In relation to non-essential cookies and similar technologies, in order to ensure compliance with the ICO’s recommendations website providers must:
  • clearly inform users that cookies are being employed, and what they do;
  • identify and clearly explain third party cookies, giving an option to reject these;
  • ensure that no “on” sliders and pre-ticked boxes are permitted;
  • provider users with easy-to-use controls;
  • ensure that no non-essential cookies and technologies are employed on the website landing page;
  • allow access to their websites, even if users don’t consent to the use of non-essential cookies; and
  • avoid using pop-up consent boxes, or “agree” or “accept all” buttons over “reject all”, since the ICO has advised that these are unlikely to constitute valid consent, and sway users to accepting cookies.

Social media plugins

In the days of ever increasing dependence on social media, especially for brand awareness, the case of Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Case C40/17), 29 July 2019 is particularly pertinent for website providers. It related to a German fashion online retailer which featured a Facebook “Like” button on its website. This resulted in users’ personal data being shared with Facebook Ireland without them being notified or aware of it, and regardless of whether they were members of Facebook, or had clicked the button.

The EU Court of Justice held that the website provider and third party (in this case Facebook) were joint controllers in relation to the collection, processing and transmission of the personal data collected from users. This meant that both provider and third party had to provide users at the time of collection with information on how their personal data would be processed.

Where processing is based on consent, both website provider and third party must obtain consent prior to the collection of the data. If processing is based on a legitimate interest, that interest must justify the transmission of the personal data. This decision will have a rippling effect, not just on social media plugins but also for embedded content such as maps and videos.

It is hoped that with GDPR now in force for over a year, clarity on this subject will continue to evolve. The ePrivacy Regulation that will replace the ePrivacy Directive is still being discussed and is unlikely to be finalised before 2020.

 

The Author

Sophie Graham, solicitor, Wright, Johnston & Mackenzie LLP

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • Opinion: Archie Miller
  • Book reviews: Sept 19
  • Profile: Ken Dalling
  • President: Sept19
  • People: Sept '19

Features

  • Automated driving
  • Professional negligence
  • Interview: Rules and boundaries
  • Conference preview
  • Commercial awareness
  • Civil justice
  • Justice agenda

Briefings

  • Civil Court briefing
  • Corporate: Cookies
  • Intellectual property
  • Agriculture
  • SSDT - Sept 19
  • Branching (is) out
  • Two heads better than one

In practice

  • Putting recruitment in context
  • OPG update: Sept 19
  • Street Law goes global
  • Council Members
  • SPA Update
  • Accredited paralegal roundup
  • Broadening horizons, creating opportunities
  • Practising rights and Brexit: a timely update
  • Dabbling: a cautionary tale
  • The cost of peace at any price

In this issue

  • Time recording in the workplace
  • Let the adjudication proceed
  • Intestacy reform lessons from North America
  • Development and protected settings
  • Reading for pleasure - Sept '19
  • Insight: Success embraces change
  • Ask Ash: Sept 19
  • A very British non-coup

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited