06. Aug 20
Cookie consent and GDPR - avoid common mistakes
When it comes to GDPR and a plethora of other privacy regulation there is a simple principle to follow in website development in respect to cookies:
Say what you do and do what you say. No more, no less.
Here are some of the important principles that you need to follow.
Do not treat cookie policy as just another document
Law requires you to think first and act second
Mistakes can be very expensive. Storing cookies on someone's computer, smartphone or tablet is punishable if you don't get consent from a website visitor. Functional cookies (those cookies without which a website cannot function properly) are exempt from the consent rule. Most of the other cookies require consent. Some would argue that that legitimate interest can be proven for some other types of cookies. That discussion is still ongoing and is beyond the scope of this blog post. Website owners: beware of all cookies your website stores and know your cookies well, especially before you decide if you need consent. This is not a legal discussion about if the legitimate interest for storing a cookie can be proven, but rather to make you aware that there is a difference between cookies and cookies.
Know your cookies! Before you implement any kind of functionality in your website that will store cookies onto visitors' computers, make sure that you are aware of the GDPR principle most often referred to as "privacy by design and by default" as set out in Article 25. of the GDPR. You are required by law to think first and act second. Yes, it may appear as if that regulation makes website development unnecessarily complicated, but it's the law. Make a list of all cookies and incorporate them into the cookie policy. Always remember this: if you are storing a cookie or reading it, you are processing the data - often personal data.
Every website needs a cookie policy. It also needs a privacy policy, but that is beyond the scope of this blog post.
Get rid of unnecessary cookies
To give users the best experience, websites oftentimes store data about the browser data, IP addresses, geolocation, and so on. This data does not necessarily have to be stored in a cookie in a human-readable way. It can be stored as a series of GUIDs or other types of seemingly scrambled data. Sometimes that data is used for personalization, sometimes it is used for analytics, sometimes to provide advertising networks with user data. Whatever is the purpose of storing the data it should be limited to exactly what you need. Storing excess data is a violation of GDPR. Article 5. of GDPR says that data should be limited to what is necessary to the purpose. In a nutshell, GDPR says if you cannot prove you really need something and that you need it lawfully, get rid of it.
The main question arises: how does one know what cookies are really necessary? Answering 5W+H questions is a simple method to determine what cookies does a website need. 5W+H questions are:
- Who - Who needs this cookie? Is it a website owner or a third party? The answer to this question will give you the list of data processors and data controllers as required by GDPR
- What - What does the website (or a third party) do with this cookie? This will shed a light on the clarity of data processing purposes, also required by GDPR.
- When - When is the cookie stored, read, used, and deleted? The answer to this question will steer you in the direction of determining the retention policy that you are required to disclose to the website visitor. Do not store the data for longer than you need. Never store cookies you need a user to consent to before a website visitor has given the actual explicit consent. Audit your website and check if you are doing it.
- Where - Where does the data (stored in a cookie) go once it's read? Is the website visitor the only one that uses it? Maybe not. What if a website visitor is an EU citizen and the data goes to the USA? The answer to this question will give you a clear direction about data transfers that you are also obligated to disclose to the website user. Beware that EU-US Privacy Shield has just been voided by the EU top court.
- Why - Why does a website even use this cookie? The answer to this question will help you decide on a clear purpose of using a cookie. All website owners are required to disclose those data processing purposes. It says so in GDPR.
- How - How is the data processed and transferred? Are those ways secure? How can a user withdraw the consent to store cookies? All of this data will give you a clear perspective of what a website is doing is adhering to the full extent of the law, especially GDPR.
This list of 5W+H question examples has been shortened for the sake of brevity of this blog post and will be covered in a later post with real-life examples.
If you cannot answer all of their questions, you don't know enough about the cookies your website is using. Consequently, you could be exposing yourself to an unnecessary risk of penalties, not to mention reputational damage you may suffer.
On a side note, if your website is ISO 27001 certified and you are not adhering to GDPR, that is a clear non-conformity of a control A.18.1.4 (Privacy and protection of personally identifiable information): you may lose the certificate.
Know your website users' rights
When it comes to user rights, given to them by GDPR, you should be aware of them. Those rights are:
- Right to information - you need to publish the cookie policy
- Right to access - if you get user's data (e.g. website behavior and use it in some of your analytical software, a user should have some sort of access to it
- Right to rectification - self-explanatory - you must ensure that you can correct any data
- Right to withdraw consent - the biggest mistake many websites make - they notify about the usage of cookies easily (with a modal window we have all seen one too many times), but they do not offer a way to withdraw that consent in a way that is as easy as when they have given consent
- Right to object - user can object to processing any data. If the user objects, you have to comply or face the risk of getting fines
- Right to object to automated processing - commonly used for advertising and personalization - users should be able not to consent for their data to be processed
- Right for data portability - if a user asks for any personal data that you got from a cookie, you must be able to provide it to them - this is one of the most commonly forgotten rule in website design
Just after you have finished all of these steps, you may begin to write a cookie policy and implement it technically.
Contact us if you need help in setting up or implementing your cookie policy
This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well to present views of the author how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a promise. Photos: Pexels.com
Recommended blog posts
-
14. Aug 20
How to know if data is personal data: avoid rookie GDPR mistakes
What data should be designated as personal data and what does it mean to directly identify an individual or make identification indirectly? How to recognize personal data when it's not apparent that data actually should be dealt with as if it is personal and enjoy the full protection of GDPR. Why isn't more people discussing the context of data processing? Some of our views in this blog post might make you think twice.
-
06. Aug 20
Cookie consent and GDPR - avoid common mistakes
What data should be designated as personal data and what does it mean to directly identify an individual or make identification indirectly? How to recognize personal data when it's not apparent that data actually should be dealt with as if it is personal and enjoy the full protection of GDPR. Why isn't more people discussing the context of data processing? Some of our views in this blog post might make you think twice.
-
04. Aug 20
ISO/IEC 27001 - understand our way of thinking
When it comes to information security our goal is that you understand our way of thinking. We believe if you understand how we think that you'll better understand the real importance of following ISO 27001 standard and all benefits it brings to your business.
-
11. Sep 20
Avoiding breach of sensitive personal data
A personal data breach can occur inadvertently, not because of negligence, but because analysis sometimes shows that certain data is not personal data, whereas, in fact, it is. Our view is that if designating data as personal depends on many factors, mostly on the context of data processing. Handling special categories of data requires extra care.
-
09. Sep 20
Indirect identification of an individual using personal data
GDPR just mentions indirect identification as a method of identifying a person but leaves everyone in the dark about the rest. It's not only about if one wants to identify someone, but it also's about the intrinsic value of data and its inherent ability to facilitate the process of identifying someone, regardless if one intends to do it or not.
-
02. Sep 20
Direct identification of an individual using personal data
What is direct identity confirmation? How to navigate through GDPR, as it broadly reads: "identifiable natural person is one who can be identified, directly or indirectly" without mentioning a word what is direct identification and what does it entail. The authors' views might help you shed some light on it.
-
30. Aug 20
Identification of an individual using personal data
How to confirm the identity of a person? What are the principles of identity confirmation and their relationship with authentification? How to be GDPR compliant, prevent identity theft and personal information data breaches? This blog post summarizes some of the GDPR topics we were tackling at a high level. If you are just embarking on a GDPR ship with a demanding project, hopefully, our views can make your journey faster and more cost-effective.