Part 2: Is the specific information in the consent request in ICO’s cookie banner linked properly?
The specific information in a consent request to end-users must be linked in such a way as to enable end-users to use that information to assess:
... which specific personal data A ... of end-user B ... is processed by a specific processing activity C ... carried out by a specific processing method D ... to achieve a specific purpose E ... that has a specific legal basis F.
Why link the specific information in a consent request?
Linking the specific information in a consent request would enable end-users to clearly comprehend, without any ambiguity, interpretation and guesswork what the consequences are of any consent end-users might give to the site/app owner.
In this regard, one should take note of what the General Advocate in the Planet 49 case says:
- Given the conceptual proximity of an internet user (and provider) to that of a consumer (and trader), one can resort at this stage to the concept of the average European consumer who is reasonably well informed and reasonably observant and circumspect and who is able to take the decision to make an informed commitment.
- However, due to the technical complexity of cookies, the asymmetrical information between provider and user and, more generally, the relative lack of knowledge of any average internet user, the average internet user cannot be expected to have a high level of knowledge of the operation of cookies.
- Thus, clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to.
- This includes both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies.
The wording of the specific information in ICO’ s consent request could e.g. be:
The IP address, browser string and website usage of end-users are collected and transmitted by a cookie identifier that is stored in end-users’ browsers to measure (track, analyse and report) how end-users interact with this website. The data recipient of the website analytics is: ICO in the UK. Contact details and Privacy Policy are viewable here. The data recipient of the IP address, browser string and website usage is: Google in the USA. Contact details and Privacy Policy are viewable here. Legal basis for purpose is: consent. Withdraw consent at any time in Privacy Settings Dashboard. The legal basis for transfer of the IP address, browser string and website usage to Google outside the EU is: The EU-US Privacy Shield. Google´s certificate are accessible here. The cookie expires: ? The Google analytics data are stored for: ? months.