poster
Privacy (GDPR)

Cookie Policy: How to Track Website Users Lawfully

Therecent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites without accepting cookies.

On 7 March 2019, the Dutch Data Protection Authority confirmed that such way of cookies collection is unlawful.

Let's identify the exact mistakes in cookies collection and what to do to comply with relevant privacy laws.

To place and process cookies within the EU, owners of websites must comply with the rules of the General Data Protection Regulation (GDPR) and e-Privacy Directive. In 2019, the e-Privacy Regulation is expected to strengthen the rules and replace the Directive. To date, we only have thedraft version of it.

Privacy laws may seem complicated. However, we believe that just four simple steps in cookies collection can ensure compliance with effective regulations.

o-QVNZj2Y0LgYfeCbTXhW5Qth-I1Rp2cOrWU7rfGHEplaRAXHQ4sYRrPXqlgIeL0MyhJ2FoxW4ZhdVTHKQjEmd73DygdPZq48I5ps_ILyT06z6F48wNUosAnM3hBLPnadLvvuy5N

Source: https://pexels.com

1. Create and Post Cookie Policy

Website owners must publicly inform their users that they collect cookies. According to the best practices, it can be done in two ways.

The first one is Cookie Policy. This is a one-, two-page document at maximum, which explains to users why the website put small text files (cookies) on their devices. The Cookie Policy must be written in a simple and transparent language.

Cookie Policy must include at least the following information:

- Details of the website controller;

- Explanation of what the cookie is and how it appears on the user's device;

- Types of cookies and why the website uses them. Usually, the purposes include technical necessity, personalization of the website for the user, the collection of traffic analytics, and advertisement tracking, but they vary from case to case. Anyway, always make sure all use cases are mentioned in the policy; and

- List of third parties (e.g., analytics or marketing service providers) that deploy cookies or other tracking technologies on the website. Purposes of third-party tracking activities must also be mentioned.

The Cookie Policy can be posted on the bottom of the website landing or in the 'Privacy’ Section. The core requirement is that the Policy must be acceptable to users. Otherwise, this document will not have legal force.

kBqis6Hl6QypDAAnpVjzuWkTsn9OoUiwN2JgWvId0d78BwIqIo0FwlLJCB1Bwp7U_nhJ8QD2I6_YYIHSX3GVv5IWVJtuXjOD_x1l8gCpAy4aSRynPPBjg8505IM80AVaZOZUhI_E

Source: https://captaingrowth.ai

2. Create Cookie 'Pop-Up' Window

The second element of the information obligation involves user`s immediate informing. When the user visits the website for the first time, it must show him/her a short notification about cookies.

The notification must be limited to one or two sentences. Without going into details, the website informs that it uses cookies and gives a Cookie Policy link with more information.

Another purpose of using the 'pop-up' notification is in receiving the user's consent for cookies, which is explained in the next step.

q_kbMVmpXiWoLnIO2_rkCkqJP5f7McV8nRW8kIw6lOLrV-Hx8_HMtUbU_qJZZtMVG3QYaJwjPdBoDsikuVV_egROyLf-UtQC9hLufPtIoMM8EkP3JSE9sMcWX9DcQwMxG36lFyzp

Source: https://edps.europa.eu

3. Obtain Consent

The consent from the user is a core condition to process certain types of cookies, such as advertisement or personalization cookies.

The website owners usually misunderstand the concept of consent. The study mentioned afore proves that: among the 3,237 websites, almost half of them, 1,347 websites were collecting invalid consent. An invalid consent has no legal force and thus cannot be a satisfactory ground.

To collect the consent in the right way, the website owner must follow a few tips:

- Not all cookies need consent. For example, a website can deploy cookies, which ensure its appropriate work without consent - they are necessary for the provision of services. However, the owner of the website needs user's consent for cookies that serve personalization of website or advertisement purposes.

- No 'one consent for all cookies'. As we see, there can be more than one type of 'consent-based' cookies. In such a case, the user must give separate and specific consent for each type of cookies.

- The user must be able to continue without the consent. Here is where thousands of websites fail: the website cannot bind the user to accept cookies. The consent must be 'freely given'. No cookies wall - this forces the user to accept cookies and continue. Therefore, a 'pop-up' window must have two buttons: accept and reject (use necessary only) cookies;

- Possibility to revoke the consent. Eventually, the website user must be able to cancel the consent in case he/she decides to do so. This can either be done with the UI 'on/off' feature or an option to contact the owner.

Rx-1iB23CuXl6DRPWaaH-E_gfH1B9idAtN_K9fm04ERAf9UHLrMF-8wdL624ATAWFTlAqPy9JWbRE3qeFQqluvZKsDf_-Rs4dmH9Rrn22jBxLz2YhhONIWfkMSAD9rO6C4zarMkx

Source: https://edps.europa.eu

Cookies v. Paid Subscriptions: a freely given choice? Some websites, likeWashington Post, give the users two options: consent to cookies and use it for free or pay for a subscription.

-Sh_IrHoOAnG1zX5FZS8NsQPPeHSHMydv9J0uHip529ON7DkSJ1bkbA74lraB5l8Ah97IJIfyc3aKnN4OCem2nLHmh-xnwnyRsgLs6X_h4_TjEkn52-Vlv5Pp4f_0dWxH4KD0vDH

Source: https://www.washingtonpost.com/

 

 

Does it violate 'freely-given consent' principle? While the British data protection authorityreportedly believes so, the Austrian onethinks this choice complies with the data protection laws.

Conclusion? Understanding of the GDPR rules varies even within the European Union, so take it in mind when choosing the targeted audience.

4. Be Careful with Sensitive Data

A less covered, but nonetheless important issue is the collection of political opinions, religious or philosophical beliefs, racial, ethnic origin, other discriminative characteristics, biometric data or children data, also known as ‘sensitive data’. Sensitive data has a restricted collection regime, which can cause difficulties with cookies collection.

If the website has 'consent-based' cookies that are connected with sensitive data (for example, advertisement-tracking cookies), the controller must obtain 'explicit' consent.

This can turn out to be a not easy task. The term 'explicit' implies the written statement, e-mail, or e-signature from the user as proof of consent. There is no general solution for cookies and sensitive data. Each way must be weighed in terms of efficiency, costs and benefits, and compliance with legal obligations.

Conclusion

Cookies are a very powerful tool in the era of the digital economy. European lawmakers, for their part, make businesses use this tool responsibly.

Should you need additional help or advise with cookies and privacy, don't hesitate tocontact us. We would be delighted to assist you.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Vlad Nekrutenko

Privacy Lawyer at Legal Nodes

 

 

 

Need a lawyer in this area?

avatarchecked

Vlad

Ukraine

3 years in data protection

Experience
Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...
choose
choose

Legal Nodes Blog

For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills
Privacy (GDPR)
Privacy Policy: Everything you need to know

Privacy Policy (or Privacy Notice) is a public legal statement of the company. It explains how the organisation uses information about its users, customers, or employees....

Legal Nodes Team
Privacy (GDPR)
Initial Privacy Assessment: Everything You Need to Know

A privacy assessment is a methodic review of your state of compliance with personal data protection laws....

Legal Nodes Team
Legal Nodes Updates
Legal Nodes Secures the $50k Grant from the Ukrainian Startup Fund Pitching Competition

We are delighted to announce that Legal Nodes scored the highest during the fifth Ukrainian Startup Fund pitching competition and was awarded a $50k Grant. ...

Legal Nodes Team