On May 25th 2018, the General Data Protection Regulation (“GDPR”) entered into force, representing the most significant initiative on data protection in 20 years. Arguably, the most notable alteration in the everyday life of citizens is the “cookie pop-up” on -almost- all websites. Nowadays, when entering a website, the first thing the user sees is a message equivalent to the following:
The official definition provided by the European Commission for “cookies” provides that a cookie is “a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.” Their purpose is to allow the website to “remember” the user’s actions or preferences over time.
Surprisingly, cookies are only mentioned once in the GDPR and not even in the main body of the Regulation. The sole reference is found in the recital No.30 of the Regulation:
“(30) Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
These few lines have a massive impact on the compliance of cookies, basically stating that when cookies can identify an individual directly or indirectly, it is considered personal data. The GDPR considers a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address as personal data. Examples of cookies that could identify users are cookies for analytics, advertising and functional services, such as survey and chat tools.
The usual problem with cookies lies on the notion of “consent”. In order to secure the compliance with the data protection requirements, website administrators use the “cookie pop-ups” in order to receive the consent of the website user to acquire, store and track his or her identifiable data.
The lack of consent represents a major breach from a legal point of view, and due to the indifference of website owners and administrators, the user’s privacy is increasingly compromised. The user is not in a position to be aware neither of which personal data is tracked and saved, nor of who is tracking users, for what purpose and for how long. Undoubtedly, the aforementioned are vigorously opposed to both the spirit and the letter of data protection regulations and therefore many website administrators and owners may be in breach. The consequences of non-compliance may be economic (e.g. fines), reputational (e.g. negative publicity and lack of trust) or commercial (e.g. obstacles in concluding agreements with other companies).
The question arising at this point is, how does a website administrator ensure that a website and its cookies are compliant with the GDPR? The answer is mainly found in the ePrivacy Directive (Directive 95/46/EC) which provides for the protection of privacy and all personal data collected in relation to EU citizens for reasons of processing, use and data exchange.
Combining the provisions of the GDPR and the ePrivacy Directive, the following guidelines for website administrators emerge:
- Users whose data is being collected should be given notice of such collection. The user must know that his or her data are collected during the website surfing.
- Users whose personal data is being collected should be informed as to the party or parties collecting such data. They shall also be aware of the reasons of the collection, processing and use (e.g. advertisement and promotion of products).
- Once collected, personal data should be kept safe and secure from potential abuse, theft, or loss. Therefore, the obligation to the website administrator to establish a secure system and impenetrable databases for the personal data of the users is a prerequisite for the compliance with the GDPR.
- Data collected should be used only for the purposes stated in the “cookie pop-up” and for no other purposes.
- Personal data should not be disclosed or shared with third parties without consent from its subjects.
- Consent must be obtained explicitly and prior to the initial processing of the personal data. This can be done through either the use of an opt-in box which the user can ‘tick’ to demonstrate their acceptance of website cookies or through editing their setting preferences. In general, consent must be given by means of an affirmative, positive action that cannot be misinterpreted.
- Data subjects shall have the right to withdraw their consent at any time in an easy manner, according to Article 7(3) of the GDPR. Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing due to “the right to be forgotten”.
- Every 12 months, the consent should be renewed upon the user’s first visit to the site.
- Subjects should be able to hold personal data collectors accountable for adhering to the above principles.
Based on the abovementioned, a GDPR compliant cookie message would be the following:
To conclude, the safeguarding of a subject’s personal data constitutes a significant aspect of the right to privacy. Website owners and administrators are obliged to operate in a manner which guarantees the protection and respect to a person’s personal information. The need for data protection in the internet environment nowadays is greater than ever before, and non-compliance with the previously mentioned principles will not be tolerated.