GDPR Compliance Means Cookie Notices Must ChangeBy: Richard Beaumont | Thursday, November 3, 2016 | Tagged: Cookie Consent, Cookie Compliance, GDPR | Leave Comment
Are you one of those people that ticked the cookie law box ages ago and not thought about it since?
Well the game has changed and now is the time to re-visit your position. The ePrivacy Directive which gave us the cookie law is currently undergoing a revision, but the real issue now is the EU GDPR.
It may be 2018 before it is enforced, but it is now law and has already tightened up the rules as well as increased the penalties for getting it wrong.
There may be a while to go yet, and we may see some guidance from regulators, but I think they will have other issues on their collective agendas. So it is really important to start thinking about the changes you will need to make now, especially for companies that have a lot of websites.
I have talked about some of these issued before, but it was very interesting that when I attended the PDP 16th Annual Data Protection Compliance conference in London recently, a leading UK barrister was telling the collected audience the same thing.
So here are some of the top issues for cookie consent that the GDPR raises.
Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous, even if they do not directly identify an individual, will be personal data if there is potential for an individual to be identified or singled out. Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for personal data. That means most cookies, and certainly the most useful ones for site owners. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws.
Implied consent is no longer going to be compliant. There are several reasons for this. Mainly it’s because the GDPR requires the user to make an ‘affirmative action’ to signal their consent. Simply visiting a site for the first time would not qualify. So loading up your landing pages with cookies in the hope people won’t opt-out, won’t wash.
Advice to adjust browser settings won’t be enough. The GDPR says it must be as easy to withdraw consent as give it. Telling people to block cookies if they don’t consent would not meet this criterion. It both difficult, ineffective against non-cookie based tracking, and doesn’t provide enough granularity of choice.
‘By using this site, you accept cookies’ statements will not be compliant. If there is no genuine and free choice, then there is no valid consent. Also people who don’t consent also cannot suffer detriment, which means you have to provide some service to those who don’t accept those terms. Which also means…
Sites will need an always available opt-out. Even after getting valid consent, there must be a route for people to change their mind. Again this comes down to the requirement that withdrawing consent must be as easy as giving it.
Soft opt-in is likely the best consent model. This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action. Although see above about a persistent opt-out route. This however may not be sufficient for sites that contain health related content, or other sites where the browsing history may reveal sensitive personal data about the visitor. Then it may require explicit consent, a higher bar to get over.
You need a response to Do Not Track browser requests. A DNT:1 signal is a valid browser setting communicating a visitor preference. It could also be interpreted by regulators as an exercise of the right to object to profiling.
Consent will need to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose. This means granular levels of control, with separate consents for tracking and analytics cookies for example.
Most sites right now would fail on many of these criteria. But you will only need to fail on one of them to risk getting a fine under the GDPR. It’s time to take action.