Safe Harbour and Cookie ComplianceBy: Richard Beaumont | Friday, October 16, 2015 | Tagged: Cookie Compliance, Safe Harbour | Leave Comment
As almost everybody with an interest in privacy will know by now, the European Court of Justice has recently declared the EU-US Safe Harbour mechanism invalid. This has been widely used to manage the transfer of personal data from the EU to the US in the last 15 years. Right now there is a huge uncertainty about what it means for business, and there is a lot of coverage both in the privacy world and mainstream media about the issue.
However, I don’t think anyone has given much thought to the impact on cookie compliance – until now.
Cookies are nothing more than a mechanism for transferring data between the client (end user device) and host server. If the website visitor is in the EU, and the cookie host server is based in the US, then there is a de facto transfer of data to the US.
Of course, you might think you are hosting your website in the EU, so you are fine. However, we know that most cookies on websites are actually third party (80% on average according to Cookiepedia). These are the result of integrating software services and functionality into the site from a multitude of providers. The vast majority of these services come from US based companies, and therefore most of the data transfer happening in an EU website, it likely to be to the US.
With cookies being read by servers every second, there are billions of these data transfers happening every single day. So the bottom line is – any business with a website is potentially impacted by the Safe Harbour ruling.
Are you Exposed?
There are three key questions as a website owner you need to ask:
- Are we serving cookies from US based host domains?
- Do any of those host domains rely on Safe Harbour as a transfer mechanism?
- Do any of the cookies they serve carry personal data?
If the answer to all of these questions is yes – then you have a potential problem on your hands.
The first 2 questions are easy to answer. In the case of most websites that have third party cookies, nine times out of ten the answer will be yes.
The issue of whether such cookies contain personal data is more contentious, and also difficult to discover. Most data is encoded so you can’t tell by looking at the contents. However, there has long been a strong case for arguing that where a cookie contains or is used as a unique identifier, as is usually the case in behavioural advertising cookies in particular – then that should be seen as personal data.
So what do you do about it?
An Optanon cookie audit will tell you what third party domains are setting cookies on your site. In most cases we can also tell you straight away if those domains relate to US companies.
In our opinion, if this is the case it would be safest to assume that personal data is involved in most cases, but particularly where behavioural advertising or targeting is concerned.
With Safe Harbour invalidated a new legal mechanism to enable the transfer from your visitors to your third party cookie providers is required to make it legal. You cannot rely on any contractual route like model clauses in this case, so this only leaves consent.
Of course consent is already the legal mechanism by which cookies can be set. However, the question becomes whether general consent for cookies can also, in the absence of additional information, count as consent to a data export. I would have thought not.
We have of course always maintained that consent for cookies should mean at the very least direct opt-out controls provided to visitors. The Safe Harbour decision really strengthens the case for this – because consent to an international transfer is not valid unless it can be withdrawn.
At a practical level, the very least website owners using cookies from US third parties should do is update their policies to make this clear, and to specify that as a result of this, visitor’s personal data is being transferred to the US. However, to be safe we would also suggest providing a mechanism by which visitors can refuse those cookies that are exporting data to the US.
If you would like to find out how to do this, we can help.