When it comes to GDPR and a plethora of other privacy regulation there is a simple principle to follow in website development in respect to cookies:
Say what you do and do what you say. No more, no less.
Here are some of the important principles that you need to follow.
Law requires you to think first and act second
Mistakes can be very expensive. Storing cookies on someone's computer, smartphone or tablet is punishable if you don't get consent from a website visitor. Functional cookies (those cookies without which a website cannot function properly) are exempt from the consent rule. Most of the other cookies require consent. Some would argue that that legitimate interest can be proven for some other types of cookies. That discussion is still ongoing and is beyond the scope of this blog post. Website owners: beware of all cookies your website stores and know your cookies well, especially before you decide if you need consent. This is not a legal discussion about if the legitimate interest for storing a cookie can be proven, but rather to make you aware that there is a difference between cookies and cookies.
Get rid of unnecessary cookies
To give users the best experience, websites oftentimes store data about the browser data, IP addresses, geolocation, and so on. This data does not necessarily have to be stored in a cookie in a human-readable way. It can be stored as a series of GUIDs or other types of seemingly scrambled data. Sometimes that data is used for personalization, sometimes it is used for analytics, sometimes to provide advertising networks with user data. Whatever is the purpose of storing the data it should be limited to exactly what you need. Storing excess data is a violation of GDPR. Article 5. of GDPR says that data should be limited to what is necessary to the purpose. In a nutshell, GDPR says if you cannot prove you really need something and that you need it lawfully, get rid of it.
The main question arises: how does one know what cookies are really necessary? Answering 5W+H questions is a simple method to determine what cookies does a website need. 5W+H questions are:
- Who - Who needs this cookie? Is it a website owner or a third party? The answer to this question will give you the list of data processors and data controllers as required by GDPR
- What - What does the website (or a third party) do with this cookie? This will shed a light on the clarity of data processing purposes, also required by GDPR.
- When - When is the cookie stored, read, used, and deleted? The answer to this question will steer you in the direction of determining the retention policy that you are required to disclose to the website visitor. Do not store the data for longer than you need. Never store cookies you need a user to consent to before a website visitor has given the actual explicit consent. Audit your website and check if you are doing it.
- Where - Where does the data (stored in a cookie) go once it's read? Is the website visitor the only one that uses it? Maybe not. What if a website visitor is an EU citizen and the data goes to the USA? The answer to this question will give you a clear direction about data transfers that you are also obligated to disclose to the website user. Beware that EU-US Privacy Shield has just been voided by the EU top court.
- Why - Why does a website even use this cookie? The answer to this question will help you decide on a clear purpose of using a cookie. All website owners are required to disclose those data processing purposes. It says so in GDPR.
- How - How is the data processed and transferred? Are those ways secure? How can a user withdraw the consent to store cookies? All of this data will give you a clear perspective of what a website is doing is adhering to the full extent of the law, especially GDPR.
This list of 5W+H question examples has been shortened for the sake of brevity of this blog post and will be covered in a later post with real-life examples.
If you cannot answer all of their questions, you don't know enough about the cookies your website is using. Consequently, you could be exposing yourself to an unnecessary risk of penalties, not to mention reputational damage you may suffer.
On a side note, if your website is ISO 27001 certified and you are not adhering to GDPR, that is a clear non-conformity of a control A.18.1.4 (Privacy and protection of personally identifiable information): you may lose the certificate.
Know your website users' rights
When it comes to user rights, given to them by GDPR, you should be aware of them. Those rights are:
- Right to access - if you get user's data (e.g. website behavior and use it in some of your analytical software, a user should have some sort of access to it
- Right to rectification - self-explanatory - you must ensure that you can correct any data
- Right to withdraw consent - the biggest mistake many websites make - they notify about the usage of cookies easily (with a modal window we have all seen one too many times), but they do not offer a way to withdraw that consent in a way that is as easy as when they have given consent
- Right to object - user can object to processing any data. If the user objects, you have to comply or face the risk of getting fines
- Right to object to automated processing - commonly used for advertising and personalization - users should be able not to consent for their data to be processed
- Right for data portability - if a user asks for any personal data that you got from a cookie, you must be able to provide it to them - this is one of the most commonly forgotten rule in website design
This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well to present views of the author how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a promise. Photos: Pexels.com