A recent investigation by the Guardian and Radio Sweden has revealed that LloydsPharmacy ("Lloyds") has been using technologies (e.g. pixels) provided by social media platforms to share personal data with those platforms for advertising purposes, without obtaining end-user consent through a cookie banner or consent management platform ("CMP").
A quick crash course/recap of the law (which is colloquially known as the 'cookie law' and is the reason why we see cookie banners) and the technologies that are involved:
- website operators must obtain consent under the Privacy and Electronic Communications Regulations 2003 ("PECR") to "store information, or to gain access to information stored, in the terminal equipment of a subscriber or user" where that storage or access is 'non-essential'.
- it's crucial to understand that the 'cookie law' is technology agnostic; the legislation (as set out above) doesn't mention the word 'cookie' (or any other technology).
- a pixel is a piece of code with external links that are embedded in a website's HTML code (or an email); when the user visits the website (or opens the email), the user's browser processes the code and follows the external link, which is logged by the pixel's server. In addition, other data can be transmitted to the pixel's server, including the user's activities on the website.
- that is why ICO guidance says that "PECR applies to any technology that stores or accesses information on the user’s device. This could include, for example, HTML5 local storage, Local Shared Objects and fingerprinting techniques... [and] technologies like scripts, tracking pixels and plugins".
- accordingly, consent is required for the use of any technology (including pixels) that involves non-essential storage or access of information on a device (especially ones that are used for advertising purposes).
It seems, however, that this nuance may have been overlooked by Lloyds. While Lloyds do implement a CMP (an industry standard one at that), it seems that their CMP was accidentally configured to enable the social media platforms' advertising pixels to operate without consent (Lloyds have now updated their CMP such that the pixel only operates after the user accepts cookies, so that's the conclusion we're drawing).
While it's unclear whether there will be any repercussions (regulatory action or otherwise) for Lloyds, this case highlights the need for controllers to ensure that their CMP is correctly configured to only enable technologies when appropriate consent has been obtained.
Anecdotally, we're seeing more and more organisations fall foul of this, leading to claims from data subjects that are disproportionately costly to resolve.
If you need an audit of your website or want to check that your CMP is working as it should, get in touch.
Finally as a parting note, it should not be overlooked that in this case "sensitive" (or special category) data is alleged to have been shared with the social media platforms. Indeed, that's the focus of the Guardian's article. The UK GDPR lays out stringent rules for the processing of such data, and that's a whole other topic for discussion.
"By monitoring network traffic, it was possible to see [search] terms being sent to the social media companies. In the checkout process, both [social media] tracking pixels collected the email address of the user. Lloyds also sent [one social media platform] the user’s first and last name, while it sent [the other platform] their phone number.