With GDPR just around the corner one area which you may have yet to consider is your current practices around the use of website cookies.
They can have a number of functions ranging from remembering arbitrary pieces of information previously input by the user such as names, addresses and passwords, to tracking cookies.
Tracking cookies are used by advertising networks to collect information about websites visited by users in order to better target advertising.
These website cookies pose a greater cause for concern due to the additional processing requirements involved.
Website cookies are only referred to once within the GDPR under Recital 30 which states:
“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Of course not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.
As previously mentioned cookies are only referred to once in the EU General Data Protection Regulation and the way in which consent to drop cookies is to be obtained has yet to be prescribed.
So where does this leave us? Well firstly let’s look at what we do know about GDPR.
Consent is key!
According to current guidelines;
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
But Soft Opt-Ins may be sufficient…
Not all cookies require consent to be used. Some cookies are essential to delivering the service requested by the user. For example, cookies used to store items in a shopping cart on an online website.
Another factor to take into consideration is that of Granularity particularly if your site sets cookies for different purposes. In this instance you will need to obtain consent for each separate purpose. This of course might be a challenge considering that the process should not be too disruptive to the overall user experience. This is where Article 7(3) may provide a solution. It states;
“The data subject shall have the right to withdraw his or her consent at any time. …. It shall be as easy to withdraw as to give consent.”
Taken together, it would seem reasonable that consent will be valid, and avoid being unnecessarily disruptive, if the user can be presented with an initial notice and simple choice, yet will always be able to modify their choice in a more granular way, based on the different types of cookie processing taking place, if they so choose.
Data subjects must understand what it is that they are agreeing to so leave your jargon at the door. Be clear and specific about what it is that cookies are used for on your site and you should be in the clear when it comes to auditing.
The Irish has stated that they would be satisfied with the following means of communication;
I’m a data subject get me out of here!
One final thing to consider is that of withdrawing consent. Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is givenOnce consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
If you require any further assistance regarding GDPR compliance or how data can be used to improve your customers’ experience, feel free to contact us today through the contact form below or on +353 1 804 1298.