(and why your social media targeting may be unlawful)

When a consumer views some clothing on your website, will they see it on their newsfeed next time they log in to their Facebook or Instagram account? If so, do you know whether you are complying with the law when using the cookies and tracking technologies (such as the Facebook pixel) which result in this happening?

Whilst a lot of businesses have carried out intensive data protection compliance programs following the introduction in 2018 of the General Data Protection Regulation (“GDPR”), many fashion retailers still fall short when it comes to compliance with the rules on cookies. A quick check online shows that some of the UK’s largest, such as Sports Direct and Boohoo, are still not complying with the rules.  

For some time, the position as to the use of cookies and various other tracking technologies (referred to generally as “cookies”) was unclear, particularly following the introduction of the GDPR. Retailers have generally taken advantage of this uncertainty, with many using a wide range of cookies on their websites by default, allowing them to gain a greater insight into their customers and target them through digital channels, such as their social media feeds.

However, a few months ago, the Information Commissioner’s Office (the UK’s data protection regulator) issued long-awaited guidance on the use of cookies (“ICO Guidance”). This has helped highlight the steps fashion retailers must take in order to use cookies lawfully. As a result, a great number of retailers will need to update their current approach to comply with the law.

The regulations which govern the use of cookies in the UK (which are based on an EU directive) provide that website operators may only use cookies where:

  1. clear and comprehensive information about the purposes of, or access to, the information in the cookie are provided to the user; and
  2. the consent of the user has been obtained (unless the cookie falls within the “strictly necessary” exemption – as described further below).

ICO Guidance 

The ICO Guidance has now helped to clarify the above requirements. 

The key points are as follows:

  1. Clarification of the “strictly necessary” exemption

User consent is not required for cookies which are “strictly necessary”. The ICO Guidance clarifies that this means that the use of the cookie must be “essential” for the provision of the service which has been requested by the user or to ensure compliance with applicable law. 

The ICO provides examples of the types of cookies which would fall within the meaning of “strictly necessary”. Perhaps not surprisingly, advertising cookies, such as the Facebook pixel, which are commonly used by retailers and allow them to target users online (for example, through their social media accounts) are not considered to be “strictly necessary”. 

Examples of the types of cookies which would benefit from this exemption include those which: 

  • remember the goods in a user’s basket when a user is shopping online; or
  • are required to provide adequate security standards to ensure compliance with the GDPR.

It follows that cookies which are often considered important but are not essential to the provision of the service to the user or for compliance with the law do not come within the strictly necessary exemption. This means that “performance cookies”, such as Google Analytics, which measure the way in which individuals use a website and can help to evaluate the success of promotions and campaigns are not covered by this exemption. 

2. Clear and comprehensive information

The ICO Guidance emphasises the need to provide users with transparent information concerning the use of cookies. The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. As such, this information must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

In relation to cookies, this means that online retailers need to review and update their cookie policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how cookies are being used on the website. 

3. The standard of consent is high

The ICO confirmed that the standard of consent for using cookies is the same as that set out under the GDPR, even for cookies which do not involve the processing of personal data. Under the GDPR consent must be:

  • fully informed and freely given;
  • express as opposed to implied;
  • specific (that is, not bundled with other matters); and
  • capable of being withdrawn. 

So implied consent can no longer be relied on for cookies. Websites which use non-essential cookies without specifically requiring users to consent to these upon their first access to a site are therefore not compliant. As a result, non-essential cookies need to be switched off until a user has taken an affirmative act to opt-in to the use of these. 

Of the various fashion retailers’ websites that we reviewed at the end of November 2019, a large proportion of these were still relying on implied consent, using language along the lines of: “By continuing to use our website, you consent to us using cookies in accordance with our cookies policy”. This does not constitute a valid consent under the relevant regulations.

Take home points

  • If past history is anything to go on, it would be reasonable to expect the ICO to seek to make examples of businesses which do not comply in the future. Meanwhile it is the case that the ICO is currently receiving a large number of complaints in relation to cookies and it can be expected that this is also resulting in bad publicity for the retailers concerned on social media.
  • Irrespective of the above potential ICO fines and bad publicity, retailers are being trolled by some individuals who are bringing court cases claiming infringement of data protection law and forcing retailers to settle out of court by paying them off.  

Register for updates



Portfolio Close
Portfolio list
Title CV Email

Remove All