We have recently had the misfortune of having to advise a number of clients that their websites may not or do not comply with the UK Data Protection Act 2018 (DPA 2018), the EU General Data Protection Regulation (GDPR) or the Privacy and Electronic Communication Regulations (PECR) 2003, as amended 2011 and 2018.

Their websites have been delivered by developers who have in some cases, provided templates for the website’s Privacy Notice/Statement/Policy, set up contact forms and newsletter sign-up forms and informed their clients that the website complies with data protection law specifically, the GDPR. Sadly, when we visit many of the web site projects these developers have delivered to their clients, they fail at the first hurdle, compliance with ‘cookie law’ i.e., PECR.

In the May 2011 amendment to PECR, commonly known as the ‘cookie law’ gave individuals rights to refuse cookies. This change required all websites using cookies to inform visitors to the website that they use cookies, why they use them and for what purpose, and to gain explicit and freely given consent to use them. In doing so, visitors should be given therefore, the ability to refuse cookies to be set on their device. (See ICO guide – Cookies and similar technologies)

When we visit a website, if compliance with PECR is correct, we expect to see a clear statement that cookies are used, the ability to alter the cookie settings to allow functional cookies to run but maybe refuse tracking and analytical cookies, etc. and above all, a clear ‘Accept’ function.

The above image taken from a web developer’s site is an example of a poor and non-compliant cookie notice. There is no ability to change settings, the required information is not provided and the close function on the right is not explicit and freely given consent. On this particular site they use ‘terms and conditions’ as well and within those terms it states, ‘by using our website you agree that we can place cookies on your device’, as in the image below.

This is not ‘explicit and freely given’ consent. The majority of websites (we think that’s in excess of 80%) that we have reviewed recently (February 2019), have not complied with the DPA 2018 and the GDPR’s requirements under Article 13.1, ‘at the time (point) when personal data are obtained’, to provide specified information as defined in GDPR Article 13.1 and 13.2. This is known as the Privacy Notice or Privacy Statement. (See ICO guide – Right to be informed)

This requirement means that next to any contact form, newsletter sign-up form, etc., the website must deliver a brief statement with a link to the organisation’s Privacy Notice. The ICO particularly endorse the use of ‘Just in Time’ notices. (See ICO guide – How should we provide privacy information to individuals?)

We have also seen many contact forms that clearly show a lack of understanding of the correct lawful basis for processing personal data. There are six (6) lawful basis for processing under the GDPR which are: Consent, Contractual Obligation, Legal Obligation, Vital Interest, Public Interest and Legitimate Interest (GDPR Article 6).

As in the example in the above image, the person completing the enquiry form are asked to tick a ‘consent’ box to allow the organisation to process their personal data. Consent to process on an enquiry form is simply not required and the wrong lawful basis for processing data. Consent would only be appropriate where the contact (enquiry) form asks the sender to indicate if they would like to go on a newsletter or mailing list at the same time as submitting an enquiry.

For the above image, there is no need for ‘consent’ to be given. Firstly, the person completing the contact form is ‘soliciting’ a response from the organisation and this is technically a contract, a contract just for the purpose of gaining a response to the enquiry so Contractual Obligation is the correct lawful basis here.

If the organisation wished to use the personal data submitted for anything other than responding to the enquiry, then under Article 13.3 the organisation must go back to the individual and gain consent for the new purpose or claim a different lawful purpose if one that is appropriate exists.

If you are unsure of what compliance with the DPA 2018 or the EU GDPR looks like, then take advice and speak to people like us who have worked with data protection and information security for 25 years, we’re here to help.

Don’t forget, your website is public and visible, and if that is not compliant with the required laws then it is highly likely that you have internal compliance issues with the DPA 2018 and EU GDPR as well. Contact us here to discuss your concerns.