EU GDPR and Cookies
by Oreste Maspes May 04 2018
What are cookies and why it is important to consider if your website is compliant to the new Data Privacy Regulation?
As the EU GDPR deadline is getting closer, a discussion about if tracking technologies like cookies, pixel tags, web beacons and the likes fall under GDPR scrutiny is taking place among experts and have important implication also for SMEs.
So called “tracking technologies” in the most popular form is known as “cookies” are used to guarantee websites functionality and help marketeers to optimise the use of digital channels and techniques to track online user behaviour
Cookies are electronically dropped onto our PCs, laptops, tablets and smartphones the very moment we open a webpage. To make an analogy, it is like if someone stuck a Post-It on your back every time you enter a shop in the high street writing on it information like what products you looked at and for how long.
In doing so, however, we would not be able to enjoy all the functionality of the website. To continue with the analogy is like if you entered a shop and a member of the staff told you that if you do not want those stickers on your back you will have access to a limited selection of goods. The issue may become more serious however, as you have no idea with whom your information is being shared with, including perhaps your credit card details or phone number that, thanks to advancement in technology such data can also be easily cross referenced to identify you personally, where you live and where you work.
To use the previous analogy of a “brick and mortar” high street shop, to compound the problem, the shop owner (website owner) is often not entirely in control of what stickers (cookies) and by whom (third parties) are stuck on your back (your laptop or smartphone).
As the EU GDPR deadline is getting very close, a discussion about if tracking technologies like cookies, pixel tags, web beacons and the likes fall under GDPR or “Cookie law” scrutiny is taking place.
Here is what I’ve learned on this matter summarized in four points, which may help to bring some clarity to the subject.
1) Regulations, Directives
EU GDPR is a “regulation" and PECD (also called “e-privacy directive” or “cookie law”) is a “directive”.
Regulations supersede directives with binding legal force throughout every EU Member State and enter into force on a set date in all the Member States and the UK. Directives, instead, lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.
The GDPR also supersedes the “cookie law” as the “cookie law” does not provide any definition of consent while GDPR does it very precisely (consent must be unambiguous, a clear affirmative act, silence is not consent)
According to GDPR, tracking technology that is not strictly necessary for the website functionality, should therefore be dropped on a user device after explicit consent and not before or at least the user should be immediately informed and enabled to deactivate to deactivate at least cookies that are not instrumental for the website functionality. This is not common practice yet, despite the closing GDPR deadline.
Given the complexity of the EU legislative process, It is unlikely that PECD will become PECR (from directive to regulation) in less than a year from GDPR enforcement (25 May 2018).
It is also highly possible that PECR will be aligned to GDPR: clearly there is scope for solutions allowing consent opt-in and consent retrieval on tracking technologies by users across all devices platforms.
4) Third parties
Domain owners should audit all tracking technologies on their websites, including third parties ones that expose to the risk of further passing PII over to unknown parties: this is against GDPR regulation. It is therefore important to be able to identify and block any cookie/ tracking technology that can tag and pass PIIs further down the line before clear opt-in consent is given
By the time cookies are being dropped on a domain and even before they are blocked, they often have already released a number of tags; there are several cases where such tags are being piggy-backed by malicious parties to inject malware into IT systems!
New technology is required to process, capture and monitor also any currently unknown future addition of tracking technologies to a domain and to inform about their who, what, why and where: this information is necessary to be compliant and to proof ICO that reasonable effort to be compliant is being made in case of security breaches.
Finally over and above GDPR compliance legal risk, let us not forget that there are also reputation and operational risks related to ignoring the presence of third parties tracking technologies that can bring to loss or damage of sensitive data, revenue, and expose a company to unfair competition!