Therecent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites without accepting cookies.
On 7 March 2019, the Dutch Data Protection Authority confirmed that such way of cookies collection is unlawful.
Let's identify the exact mistakes in cookies collection and what to do to comply with relevant privacy laws.
To place and process cookies within the EU, owners of websites must comply with the rules of the General Data Protection Regulation (GDPR) and e-Privacy Directive. In 2019, the e-Privacy Regulation is expected to strengthen the rules and replace the Directive. To date, we only have thedraft version of it.
Privacy laws may seem complicated. However, we believe that just four simple steps in cookies collection can ensure compliance with effective regulations.
Website owners must publicly inform their users that they collect cookies. According to the best practices, it can be done in two ways.
- Details of the website controller;
- Explanation of what the cookie is and how it appears on the user's device;
- Types of cookies and why the website uses them. Usually, the purposes include technical necessity, personalization of the website for the user, the collection of traffic analytics, and advertisement tracking, but they vary from case to case. Anyway, always make sure all use cases are mentioned in the policy; and
- List of third parties (e.g., analytics or marketing service providers) that deploy cookies or other tracking technologies on the website. Purposes of third-party tracking activities must also be mentioned.
2. Create Cookie 'Pop-Up' Window
The second element of the information obligation involves user`s immediate informing. When the user visits the website for the first time, it must show him/her a short notification about cookies.
Another purpose of using the 'pop-up' notification is in receiving the user's consent for cookies, which is explained in the next step.
3. Obtain Consent
The consent from the user is a core condition to process certain types of cookies, such as advertisement or personalization cookies.
The website owners usually misunderstand the concept of consent. The study mentioned afore proves that: among the 3,237 websites, almost half of them, 1,347 websites were collecting invalid consent. An invalid consent has no legal force and thus cannot be a satisfactory ground.
To collect the consent in the right way, the website owner must follow a few tips:
- Not all cookies need consent. For example, a website can deploy cookies, which ensure its appropriate work without consent - they are necessary for the provision of services. However, the owner of the website needs user's consent for cookies that serve personalization of website or advertisement purposes.
- No 'one consent for all cookies'. As we see, there can be more than one type of 'consent-based' cookies. In such a case, the user must give separate and specific consent for each type of cookies.
- The user must be able to continue without the consent. Here is where thousands of websites fail: the website cannot bind the user to accept cookies. The consent must be 'freely given'. No cookies wall - this forces the user to accept cookies and continue. Therefore, a 'pop-up' window must have two buttons: accept and reject (use necessary only) cookies;
- Possibility to revoke the consent. Eventually, the website user must be able to cancel the consent in case he/she decides to do so. This can either be done with the UI 'on/off' feature or an option to contact the owner.
Cookies v. Paid Subscriptions: a freely given choice? Some websites, likeWashington Post, give the users two options: consent to cookies and use it for free or pay for a subscription.
Conclusion? Understanding of the GDPR rules varies even within the European Union, so take it in mind when choosing the targeted audience.
4. Be Careful with Sensitive Data
A less covered, but nonetheless important issue is the collection of political opinions, religious or philosophical beliefs, racial, ethnic origin, other discriminative characteristics, biometric data or children data, also known as ‘sensitive data’. Sensitive data has a restricted collection regime, which can cause difficulties with cookies collection.
If the website has 'consent-based' cookies that are connected with sensitive data (for example, advertisement-tracking cookies), the controller must obtain 'explicit' consent.
This can turn out to be a not easy task. The term 'explicit' implies the written statement, e-mail, or e-signature from the user as proof of consent. There is no general solution for cookies and sensitive data. Each way must be weighed in terms of efficiency, costs and benefits, and compliance with legal obligations.
Cookies are a very powerful tool in the era of the digital economy. European lawmakers, for their part, make businesses use this tool responsibly.
Should you need additional help or advise with cookies and privacy, don't hesitate tocontact us. We would be delighted to assist you.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Privacy Lawyer at Legal Nodes
Need a lawyer in this area?
3 years in data protection