With GDPR just around the corner one area which you may have yet to consider is your current practices around the use of website cookies.
The majority of websites use cookies to track consumer movements on their website.
They can have a number of functions ranging from remembering arbitrary pieces of information previously input by the user such as names, addresses and passwords, to tracking cookies.
Tracking cookies are used by advertising networks to collect information about websites visited by users in order to better target advertising.
These website cookies pose a greater cause for concern due to the additional processing requirements involved.
Website cookies are only referred to once within the GDPR under Recital 30 which states:
“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
So what this essentially means is that if you use cookies to uniquely identify a device or persons using said device, this is now considered personal data under GDPR.
Of course not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
As previously mentioned cookies are only referred to once in the EU General Data Protection Regulation and the way in which consent to drop cookies is to be obtained has yet to be prescribed.
But, if you wish to use cookies to track users’ browsing activity we strongly recommend your practices comply with GDPR as the repercussions for non-compliance are significant.
So where does this leave us? Well firstly let’s look at what we do know about GDPR.
Consent is key!
According to current guidelines;
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
From this we can assume that consent must be obtained explicitly. This can be done through either the use of an opt-in box which the user can ‘tick’ to demonstrate their acceptance of website cookies or through editing their setting preferences. We don’t believe that the standard wording of “by using our site you will be agreeing to our use of cookies” will go far enough because it is implicit (and not explicit).
But Soft Opt-Ins may be sufficient…
Soft Opt-Ins will be considered to be sufficient so long as it is explicit within the website cookie descriptions. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action. Note, however, that if you reject the use of cookies you will still be able to visit our websites but some of the functions may not work correctly. Despite this being a potentially valid option we would be hesitant to recommend it as it leaves you open to doubt, it is better practice to avoid this.
Not all cookies require consent to be used. Some cookies are essential to delivering the service requested by the user. For example, cookies used to store items in a shopping cart on an online website.
Another factor to take into consideration is that of Granularity particularly if your site sets cookies for different purposes. In this instance you will need to obtain consent for each separate purpose. This of course might be a challenge considering that the process should not be too disruptive to the overall user experience. This is where Article 7(3) may provide a solution. It states;
“The data subject shall have the right to withdraw his or her consent at any time. …. It shall be as easy to withdraw as to give consent.”
Taken together, it would seem reasonable that consent will be valid, and avoid being unnecessarily disruptive, if the user can be presented with an initial notice and simple choice, yet will always be able to modify their choice in a more granular way, based on the different types of cookie processing taking place, if they so choose.
Keep‘em Informed
Data subjects must understand what it is that they are agreeing to so leave your jargon at the door. Be clear and specific about what it is that cookies are used for on your site and you should be in the clear when it comes to auditing.
The Irish has stated that they would be satisfied with the following means of communication;
“A prominent notice on the homepage informing users about the website’s use of cookies with a link through to a Cookie Statement containing enough information to allow users to make an informed decision regarding consent. As best practice, a positive action may be deployed to dismiss the notification.”
I’m a data subject get me out of here!
One final thing to consider is that of withdrawing consent. Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is givenOnce consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
Going Forward…’
Going forward it seems that consent to the use of cookies will become a clearer and more granular choice for visitors. This is likely to make things a little more complex for site owners, particularly if you have been somewhat lax on this front up until now! However it could also help toward providing a better user experience, by offering your customer more control over how data concerning them will be processed. It will become a lot less like interrupting the user journey, and a lot more like offering a range of visitor choices through readily accessible control interfaces.
If you require any further assistance regarding GDPR compliance or how data can be used to improve your customers’ experience, feel free to contact us today through the contact form below or on +353 1 804 1298.
