Content Hub

Content Hub

EU GDPR and Cookies

Oreste Maspes

What are cookies and why it is important to consider if your website is compliant to the new Data Privacy Regulation?

As the EU GDPR deadline is getting closer, a discussion about if tracking technologies like cookies, pixel tags, web beacons and the likes fall under GDPR scrutiny is taking place among experts and have important implication also for SMEs.

It is worth a try to demystify this issue as it may also have an impact on SMEs and how to consider their websites and new privacy policy with GDPR.

So called tracking technologies in the most popular form is known as cookies are used to guarantee websites functionality and help marketeers to optimise the use of digital channels and techniques to track online user behaviour

Cookies are electronically dropped onto our PCs, laptops, tablets and smartphones the very moment we open a webpage. To make an analogy, it is like if someone stuck a Post-It on your back every time you enter a shop in the high street writing on it information like what products you looked at and for how long.

A fair number of those stickers  are in our machine even before we notice the presence of the so called cookie banner typically a small script appearing at the top or bottom of the screen with which companies – in order to comply with PECD (EU’s Privacy and E-communications Directive dating from 2002) also called  Cookie law. The cookie banner is part of a company privacy policy to inform us that if we do not want to share how we use and visit that website we have the possibility to deactivate all those cookies unselectively using our browser (i.e. Explorer for PCs and Safari for Mac).

In doing so, however, we would not be able to enjoy all the functionality of the website. To continue with the analogy is like if you entered a shop and a member of the staff told you that if you do not want those stickers on your back you will have access to a limited selection of goods. The issue may become more serious however, as you have no idea with whom your information is being shared with, including perhaps your credit card details or phone number that, thanks to advancement in technology such data can also be easily cross referenced to identify you personally, where you live and where you work.

To use the previous analogy of a brick and mortar  high street shop, to compound the problem, the shop owner (website owner) is often not entirely in control of what stickers (cookies) and by whom (third parties) are stuck on your back (your laptop or smartphone).

As the EU GDPR deadline is getting very close, a discussion about if tracking technologies like cookies, pixel tags, web beacons and the likes  fall under GDPR or Cookie law scrutiny is taking place.

Here is what I’ve learned on this matter summarized in four points, which may help to bring some clarity to the subject.

1) Regulations, Directives

EU GDPR is a regulation” and PECD (also called e-privacy directive or cookie law) is a directive.

Regulations supersede directives with binding legal force throughout every EU Member State and enter into force on a set date in all the Member States and the UK. Directives, instead, lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.

2) Consent

The GDPR also supersedes the cookie law as the cookie law does not provide any definition of consent while GDPR does it very precisely (consent must be unambiguous, a clear affirmative act, silence is not consent)

Current cookie banners on website are constructs stemming from the older cookie law interpretation and are a form of implied consent, therefore they are not GDPR compliant. This is because cookies are already “dropped on user devices despite lack of opt-in consent option and Personal Information is captured immediately. Company domains should make provision for new cookie banners containing GDPR relevant information about tracking technologies (who, what, why) and where PII (Personal Identifiable Information) could end up to, allowing to block the ones without consent. Any cookies that are not strictly necessary for website functionality (in this case they may fall into GDPR legitimate interest) requires consent and therefore such consent should be recorded. There are practical technical solutions to meet those requirements, please feel free to contact me at this regard.

According to GDPR, tracking technology that is not strictly necessary for the website functionality, should therefore be dropped on a user device after explicit consent and not before or at least the user should be immediately informed and enabled to deactivate  to deactivate at least cookies that are not instrumental for the website functionality.  This is not common practice yet, despite the closing GDPR deadline.

3) Time

Given the complexity of the EU legislative process, It is unlikely that PECD will become PECR (from directive to regulation) in less than a year from GDPR enforcement (25 May 2018).

It is also highly possible that PECR will be aligned to GDPR: clearly there is scope for solutions allowing consent opt-in and consent retrieval on tracking technologies by users across all devices platforms.

4) Third parties

Domain owners should audit all tracking technologies on their websites, including third parties ones that expose to the risk of further passing PII over to unknown parties: this is against GDPR regulation. It is therefore important to be able to identify and block any cookie/ tracking technology that can tag and pass PIIs further down the line before clear opt-in consent is given

By the time cookies are being dropped on a domain and even before they are blocked, they often have already released a number of tags; there are several cases where such tags are being piggy-backed by malicious parties to inject malware into IT systems!

New technology is required to process, capture and monitor also any currently unknown future addition of tracking technologies to a domain and to inform about their who, what, why and where: this information is necessary to be compliant and to proof ICO that reasonable effort to be compliant is being made in case of security breaches.

Finally over and above GDPR compliance legal risk, let us not forget that there are also reputation and operational risks related to ignoring the presence of third parties tracking technologies that can bring to loss or damage of sensitive data, revenue, and expose a company to unfair competition!