Most websites use cookies (named after fortune cookies) to gather information about website users. Cookies can be helpful to users (remembering things like login details) as well as to website operators (analysing things like website traffic and user behaviour).
What's the problem?
Data protection law requires users to give opt-in consent to most cookies, including analytics and advertising cookies. If a user doesn't give consent, the website isn't allowed to use cookies unless they're strictly necessary in order to provide the service (e.g. essential security cookies for online banking).
Although most websites have a cookie banner that appears when a user first visits, the majority fail to obtain the level of specific opt-in consent required by data protection law. There are two principal reasons for this. Firstly, obtaining specific consent to every cookie (including third-party cookies) is cumbersome and could be off-putting to many users. Secondly, website operators know that many users would not give consent to non-essential cookies, if prompted to choose.
What's this got to do with charities?
In September last year an organisation called ProPrivacy published its research Exposing the hidden data ecosystem of the UK's most trusted charities. The findings highlighted concerns that: "global for-profit advertising companies could be profiling users of charity websites, often visiting pages related to highly sensitive topics such as mental health, sexual violence, and disability." ProPrivacy claimed that 92% of the top 100 charities do not fully comply with data protection laws when using cookies and called out several large charities by name.
In November, ProPrivacy published an open letter calling for charities to remove advertising cookies from sensitive web pages. The letter was also sent directly to a number of UK charities. ProPrivacy said it would contact the Information Commissioner's Office (ICO) and the Charity Commission if the sector did not respond.
More recently, another privacy group Noyb sent over 500 draft complaints to organisations whose cookie consent processes are allegedly not compliant with data protection law. Noyb says it has developed a system that automatically discovers violations and generates GDPR complaints.
What's the risk?
Many charity websites collect sensitive user information such as data about mental ill health, addiction or domestic abuse. Using cookies to share this information with third-parties for advertising purposes can generate revenue for a charity, but without users' clear knowledge and consent it also carries a risk of complaints, regulatory action and even litigation.
In January this year, the ICO resumed its investigation into the 'AdTech' industry. Although that investigation is set to focus on data management platforms, it is possible that groups like ProPrivacy publicising the higher-risk aspects of unlawful cookie use could push the regulator to take action against website operators. Their campaigning could also lead to complaints from individuals who believe their data has been used unlawfully.
Against this backdrop, although the problem continues to be widespread it would be risky for charities to take the view that non-compliance with cookie consent laws is ok.
Charities should review their cookie compliance, particularly where cookies are used on web pages that gather sensitive information. The benefits to the charity in using cookies on these pages must be weighed up against the possible reputational risks and the ethical issue of exposing sensitive beneficiary data in this way.
This is a decision that needs to be taken in the context of each charity, and trustees should make a record of why they believe their decision is in the best interests of the charity overall.
The future of cookies
The rules around cookie consent are a hotly contested topic, and there have been recent reports about a possible relaxation of these rules as part of a more 'light touch' approach by the new Information Commissioner. There are no concrete changes confirmed at this stage, but we will keep our newsletter subscribers updated.
Contact our specialist charity data protection lawyers if your charity needs help with cookies.