In its response, the ICO criticized Google’s decision to permit device fingerprinting for advertising purposes as “irresponsible” and emphasised that device fingerprinting:

1. Requires Consent: device fingerprinting enables devices to be identified even where cookies are blocked or the location is disguised, hence its common use for fraud prevention purposes, but the ICO reinforced that it is subject to the usual consent requirements.
2. Reduces User Control: Despite various browsers now offering “enhanced” tracking protection, the ICO stated that device fingerprinting is not a fair means of tracking users online as it diminishes people’s choice and control over how their information is collected.

This statement echoes concerns previously voiced by Google who had stated that device fingerprinting “subverts user choice and is wrong”.

With the potential for fingerprinting to replace the long-debated third-party (3P) cookie functionality, this statement forms part of a shift in regulatory focus to technologies beyond cookies. Various technologies have recently received greater scrutiny, both in the ICO’s Draft Guidance on the use of storage and access technologies | ICO (“ICO’s Draft Guidance“) – interestingly issued in December 2024 to coincide with the Google update – and the European Data Protection Board (EDPB) Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.

ICO Draft Guidance: Key Takeaways

The ICO’s Draft Guidance explores the practical application of the Privacy and Electronic Communications Regulations (PECR) requirement that consent must be obtained by the user for any storage or access of information on/from a device (‘terminal equipment’), unless such storage/access is strictly necessary for the purposes of a communication or to provide a service requested by the user.

In particular, the Draft Guidance addresses the following areas which are explored further in their respective sections below:

Technologies

The ICO’s Draft Guidance looks at how and why the rules relating to storage and access of device information apply to various types of technologies used in web browsers, mobile apps or connected devices, namely: Cookies; Tracking Pixels, Link Decoration and Navigational Tracking, Web Storage, Scripts and tags, and Fingerprinting techniques. The technologies focused on by the ICO overlap to a large extent with those examples used by the EDPB in their guidelines. However, taking the analysis on pixels as an example, the EDPB suggests that any distribution of tracking links/pixels to the user’s device (whether via websites, emails, or text messaging systems) is subject to Regulation 5(3) of the ePrivacy Directive as it constitutes ‘storage’ even if only temporarily via client-side caching.  The ICO’s guidance is less clear, suggesting that tracking pixels are only subject to Regulation 6 Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) when they store information on the user’s device. This might imply a less expansive view compared to the EDPB, highlighting the importance of remaining alive to jurisdictional nuances for any global tracking campaigns.

Detailed Consent Requirements

The ICO reiterates that for a PECR consent to be valid, it must meet UK GDPR standards (freely given, specific, informed and unambiguous statement of the individual’s wishes indicated by a clear affirmative action).

The ICO highlights the fact that the consent must be provided by the data subject where personal data is processed (this contrasts with the PECR user/subscriber consent requirement) – this tension is an existing issue, but quite how the party collecting the cookie consent for personal data processed via cookies (or a similar technology) is supposed to know whether the user of a device has changed, without either requiring re-consent or user identification on each visit (or carrying out background identification using user fingerprinting or similar, which means more data processing and may be intrusive) is unclear.

In line with recent ICO statements in relation to the lack of ‘reject all’ options, the ICO emphasises that subscribers/users must be able to refuse the use of storage and access technologies as easily as they can consent. Additional points of interest for controllers include:

• That users must have control over any use of non-essential storage and access technologies. While this could, on a conservative reading, be interpreted as needing US-style granular per-cookie consent, the examples provided suggest high-level consent mechanisms expressed per category (e.g., analytics, social media tracking, marketing) are still acceptable;
  
• Clarification that you must specifically name any third parties whose technologies you are requesting consent to (this information can be provided in a layered fashion provided this is very clear). However, if controls are not required at an individual cookie level, which seems to be the case, then this becomes less meaningful for data subjects who cannot act on this additional information as they only have the choice of rejecting all storage and access technologies for each purpose category (e.g. all analytics cookies/technologies) rather than a relevant third party; and
  
• Clarification that users must be provided with controls over any use of storage and access technologies for non-essential purposes (albeit this was arguably already required in order to facilitate withdrawal of consent/changing of preferences on an ongoing basis).

Exemptions to consent: Strictly Necessary

Leaving aside technologies necessary for communications, the ICO emphasises that the “strictly necessary” exemption applies when the purpose of the storage or access is essential to provide the service the subscriber or user requests. Helpfully, the ICO Draft Guidance clarifies that technologies used to comply with applicable law e.g. meeting security requirements, can be regarded as “strictly necessary”, such that no consent is required. This will not apply if there are other ways that you can comply with this legislation without using cookies or similar technologies.

Other examples of activities likely to meet the exemption include: (i) ensuring the security of terminal equipment; (ii) preventing or detecting fraud; (iii) preventing or detecting technical faults; (iv) authenticating the subscriber or user; and (v) recording information or selections made on an online service.

One area of ambiguity remains in relation to fraud prevention and detection. In the financial services sector, websites/apps often use third-party fingerprinting for fraud detection (in order to meet legal obligations to ensure the security of their services).  ‘Preventing or detecting fraud’ is listed as an example of an activity likely to meet the exemption, whilst third party fingerprinting for fraud prevention is used by the ICO as an example of an activity subject to Article 6 PECR, with the implication that consent is needed (albeit this is not stated). However, the DUA Bill (if passed in its current form) provides some helpful clarity here, as it states that use of such technologies should be regarded as “strictly necessary” where used to protect information, for security purposes, to prevent or detect fraud or technical faults, to facilitate automatic authentication, or to maintain a record of selections made by the user.

Interestingly, the guidance suggests that the use of social media plugins/tools by logged-in users might be strictly necessary, though this does not extend to logged-out users, users who are not a member of that network, or any associated tracking.

Governance and compliance

A number of the ICO’s clarifications are likely to impact day to day resourcing and operations for any organisation using material numbers of storage and access technologies:

• Governance: the ICO emphasises what it expects in respect of governance of storage and access requirements, including an audit checklist, emphasising the need to regularly audit the use of such technologies and ensure that the rest of the consent ecosystem (including transparency, consent, data sharing, and subsequent processing) is consistent and up to date. This is likely to be resource intensive, and few organisations will be set up for this level of assurance.
  
• Transparency:  The ICO guidance reinforces the need for transparency around whether any third parties will store/access information on the user’s device or receive this information, making clear that all third parties providing cookies or receiving data must be named (avoiding ambiguous references to “partners” or “third parties.”), and that specific information must be provided about each, taking into account UK GDPR considerations where personal data is processed. This will be a considerable challenge for complex ecosystems, most notably in the context of online advertising (albeit this has been a known challenge for some time).
  
• Consent Ecosystem: The guidance makes very clear that a process must be in place for passing on when a user withdraws their consent. In practice, the entity collecting the consent is responsible for informing third parties when consent is no longer valid. This is crucial but challenging to comply with, and is again perhaps most relevant in the context of online advertising. 
  
• Subsequent Processing: as it has done in the past, the ICO continues to strongly suggests that any subsequent processing of personal data obtained via storage/access technologies on the basis of consent should also be based on consent, going as far as to suggest that reliance on an alternative lawful basis (e.g. legitimate interest) may invalidate any initial consent received.

Conclusion

As device fingerprinting and other technologies evolve, it is crucial for organisations to stay informed and ensure compliance with the latest guidance and consider that there may be nuance between regulation in EU / UK.

The ICO’s Draft Guidance provides helpful clarity on existing rules in the UK, including detailed examples of how to conduct cookie audits, but does not otherwise provide practical guidance on how to overcome many of the operational privacy challenges faced by controllers (such as monitoring changing users and managing consent withdrawals within online advertising ecosystems).

With increasing regulatory commentary and action in this space, including the ICO’s most recent announcement regarding its focus on reviewing cookie usage on the biggest UK sites, now is the time to take stock of your tracking technologies and ensure compliance!

The ICO’s Draft Guidance is currently open for consultation, with input sought by 5pm on Friday 14^th March 2025. If you have any questions or would like to know more, please get in touch with your usual DLA contact.

Between 10 January and 3 March 2023, SkyBet’s website dropped third-party AdTech cookies to visitors’ browsers before visitors could accept or reject them via a cookie banner. As a result, the visitors’ personal data (e.g., device information and unique identifiers) was shared automatically with third-party AdTech companies without visitors’ consent or a lawful basis. The cookies were deployed to allow advertising to be placed on other websites viewed by the visitor.

Whilst the ICO found no evidence of deliberate misuse of personal data to target vulnerable gamblers, it reprimanded SkyBet because it processed personal data in a way that was not lawful, transparent or fair.

This reprimand forms part of the ICO’s wider strategy to ensure that individuals’ rights and freedoms are respected. The ICO has recently reviewed the UK’s most-visited 100 websites and contacted more than half to warn of enforcement action. Many are reported to have implemented improvements, such as displaying a “reject all” button or presenting “accept all” and “reject all” options on an equal footing.

The ICO intends to assess the next 100 most-frequented websites and urges all organisations to assess their cookie banners to ensure freely given consent may be given. The ICO also intends to publish guidance on cookies and tracking technology before the end of the year.

DLA Piper advises all businesses on cookie compliance and is currently engaged by several businesses operating in the AdTech ecosystem, on assessing risk exposure and responding to ICO engagement. Should you wish to discuss this further, please reach out to your regular DLA Piper contact, or the authors of this blog.

These guidelines apply a maximalist interpretation to the cookie rule, meaning that a wide variety of technologies other than traditional cookies are, in the opinion of the EDPB, caught by the rule. Where a technology is caught then, depending on the purpose for which the technology is used, its use will be conditional upon obtaining consent.

The guidelines are open for public consultation until 28 December 2023.

Background

By way of reminder, Article 5(3) of the e-Privacy Directive creates requirement to obtain prior consent where a company stores information, or gains access to information already stored, in the terminal equipment of a subscriber or user of an electronic communications network, and that storing of or access to information is not strictly necessary to deliver the service requested by the subscriber or user. As such, the Directive seeks to protect what it regards as the ‘private sphere’ of the user’s terminal equipment from unwanted intrusion.

Historically it has been well-understood that traditional internet cookies trigger this rule. They function by creating a file on the user’s computer which stores information. Later, if the user returns to the website, the information in the file stored on the user’s computer is accessed (e.g., to verify someone’s language preference). 

However, the extent to which newer methods of tracking a user’s digital footprint – such as pixels, URL tracking and JavaScript code – also trigger this rule has, to date, been much less clear.

How does the EDPB interpret the ‘cookie rule’?

In a word: broadly. For each part of the relevant test under the cookie-rule – the nature of information; what constitutes terminal equipment; and what it means to gain access to or store such information – the EDPB applies a wide reading. For example:

• It does not matter how long information is stored on terminal equipment – the ephemeral storage of any information (for example, in RAM or CPU cache) is sufficient.
• The nature and volume of information stored or accessed is also irrelevant. Note that it is also irrelevant whether the information is personal data (albeit this much was already well-understood prior to the guidelines).
• Perhaps most controversially, the EDPB also suggests that it may not matter who gives the instruction to transmit information to the accessing entity – the proactive sending of information by the terminal equipment might also be caught.

Which technologies are caught?

The upshot of this interpretation is that the EDPB considers, in most cases, that the use of the following technologies will trigger the cookie rule:

• URL and pixel tracking: for example, tracking pixels used to ascertain whether an email has been opened, or tracking links used by websites to identify the origin of traffic to the website, such as for marketing attribution.
• Local processing: for example, using an API on a website to remotely access locally generated information.
• Tracking based on IP only: for example, the transmission of a static outbound IPv4 originating from a user’s router, used to track a user across multiple domains for online advertising purposes.
• Internet of Things (IoT) reporting: for example, smart household devices transmitting information to a remote server controlled by the manufacturer, whether directly or via intermediary equipment (such as a mobile phone).

What are the practical implications?

If a technology is caught by the cookie rule, then the company deploying that technology must obtain prior, opt-in consent before accessing or storing the information, unless the company can demonstrate that the storage of, or access to, the information is strictly necessary for the purpose of delivering the digital service. 

It is probably fair to say that this does not consistently happen in practice as of today. The practicalities of obtaining consent may also be challenging, depending on the context in which the technology is used. From the user’s perspective, questions of ‘consent fatigue’, in a world in which users are already bombarded with cookie consent pop-ups, also arise.

Responses to the EDPB’s consultation on the draft guidelines will make for interesting reading. Even when finalised, the guidelines will represent the EU data protection authorities’ interpretation of the law and are not directly binding law in their own right. Certainly, many of these points would form the basis for an interesting legal challenge before the European courts. In the meantime, however, businesses operating in the EU are advised to start preparing for a world where the scope of the cookie rule, as applied by the regulator, is much broader than they may previously have realised.

Regardless of the very substantial amount of fines applied, in a context where the CNIL’s issues several formal notices for non-compliances with cookies regulations since the end of March 2021, these decisions give an opportunity to analyze what are the CNIL’s expectations and what sanctions may be anticipated for companies targeting French users through their websites.

1. Context of the infringements sanctioned

The CNIL’s decisions were taken further to:

• several complaints lodged with the CNIL regarding Facebook Ireland, Google LLC and Google Ireland Limited (“the Companies”) practices with respect to their use of cookies, between October 2020 and July 2021, respectively four complaints against Facebook and two against Google; and
• online investigations conducted by the CNIL onto the Companies’ websites, which revealed that they were failing to comply with the requirements governing cookies under Article 82 of the French Data Protection Act.

Article 82 of the French Data Protection Act and the CNIL guidelines dated and 17 September 2020, require that the Website cookies banner offers users the option to reject cookies as easily as they may accept them. However, although the Companies banner displayed a button allowing to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to reject the deposit of cookies as easily. Several clicks were necessary to reject all cookies (3 for Facebook and 5 for Google), when only one click was necessary to accept them all.

The restricted committee, which is the body responsible for issuing sanction within the CNIL, ruled that such a method affected the users’ freedom of consent and thus an infringement of Article 82 of the French Data Protection Act, as the several steps implemented to refuse cookies was a way to discourage users from rejecting them while favoring an opt-in which is more easy to choose.

The restricted committee does not challenge the fact that the Companies offer a choice to accept or refuse cookies but more the practical implementation of the refusal mechanism which is either complex (for Google where the user has to click on a “personalize button” and to go through a detailed page presenting cookies to make his choice) or unclear (notably for Facebook where the “cookies set up page” was leading to an acceptance button which was confusing regarding the nature of cookies accepted). The restricted committee reminds that next to an “Accept all” Button, a “Refusal all” button must be implemented.

2. Justification of the sanctions level

Based on the above infringement, the restricted committee issued:

• two fines against Google for a total amount of 150 million euros (i.e., 90 million euros for Google LLC and 60 million euros for Google Ireland Limited); and
• one fine against Facebook Ireland of 60 million euros

Such fines are based on the following considerations:

• the scope of the processing;
• the high number of data subjects;
• the substantial profits generated by the Companies from advertising, using the data collected through cookies placed with a biased consent whereas other companies which have duly offered users the opportunity to reject all cookies as easily as to accept them have seen a decrease in the number of consents and thus their advertising revenues;
• the fact that the Companies were already made aware of their lack of compliance with Article 82 of the French Data protection Act, by the CNIL; and
• the continuous CNIL’s communication on the necessity to ensure that refusal of cookies should be as easy of their acceptance

It is interesting to note that while the fine issued against Facebook was applied to Facebook Ireland Limited considered as the sole data controller, Facebook France being the “establishment” of the Facebook group in France, the fine against Google was applied to both Google LLC based in California and Google Ireland Limited considered as joint controllers.

In addition, the CNIL issued an injunction for each Company to remedy to their practices in order to guarantee the users’ freedom of consent within three months as from the notification of the CNIL’s decision, subject to a late payment penalty of 100.000 EUR per day.

These sanctions fall within the global conformity strategy regarding cookies that the CNIL started about 2 years ago. Since 31 March 2021, the CNIL has issued almost 100 formal notices related to cookies infringements of French and Foreign websites (including order to comply with the Cookies regulation and sanctions).

3. CNIL remains competent even if a Lead Authority has been appointed

The Companies attempted to challenge the CNIL’s competence as they appointed a Lead Authority which is the Irish Data Protection Commissioner.

The restricted committee decision is grounded on the following considerations:

a. Material competence

The CNIL remains materially competent to investigate and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France. The CNIL used the same rationale as in previous decisions regarding the use of cookies (notably, sanction pronounced on 7 December 2020 against Google) to challenge Google’s defense arguing that the French data protection authority was not competent to control cookies policies.

The CNIL held that the “one stop shop” mechanism set forth in the GDPR does not apply to the extent its action was related to Article 82 of the French Data Protection Act, which transposes the provisions of the “e-Privacy” directive into French law.

According to the restricted committee:

• a distinction has to be made between on the one hand, the operations consisting in depositing and reading cookies in a user’s terminal and, on the other hand, the subsequent use made of the data generated by these cookies, for example for profiling purposes, referred to as “subsequent processing” (also known as “post processing”).
• Each of these two successive stages is subject to a different legal regime: while read and/or write operations are governed by special rules, set out in Article 5(3) of the ePrivacy Directive and thus to the CNIL’s competence, further processing is subject to the GDPR and, as such, may be subject to the “one-stop shop” mechanism, if they relate to transborder data processing activities.

Therefore, as the present procedure related only to the reading and/or writing operations in the terminal of users located in France, the CNIL’s competence is confirmed.

b. Territorial competence

The CNIL remains also territorially competent pursuant to Article 3 of the French Data Protection Act since the use of cookies is carried out within the “framework of the activities” of the French local companies (Facebook France and Google France), which constitutes the respective “establishment” of the Companies on French territory.

Each Company has the opportunity to lodge an appeal against the CNIL decisions before the Council of State, highest French Administrative Court.

Google already appealed the previous CNIL’s decision on cookies dated December 2020 but such appeal was rejected by the Council of State in March 2021.

For any question related to this decision, please contact Denise Lebeau-Marianna, Partner or Yaël Hirsch, senior associate – Data Protection – IPT Department DLA Piper France LLP.

Authors: Denise Lebeau-Marianna,  Yaël Hirsch, Paul Sierzputowski