Prior to the GDPR, websites would drop cookies onto their visitors’ browsers without their knowledge or consent. However, all that changed with the GDPR legislation. Recital 30 of the General Data Protection Regulation considers cookies as part of personal data. It requires websites to obtain valid consent when collecting personal data from its users. The law now gives its citizens rights over their data.

Why do we need cookies?

Cookies are lines of code that a web server sends out along with the requested website the very first time it is called out by the browser. Once in the browsers, these cookies transmit data like user ID, session ID, and settings, back to the web server. The cookies will remain in the browsers until it gets flushed out through the “clear cookies” action.

Cookies help to improve user experience on the site. They stored information to identify you and provide personalized content and settings.

For example, one of the significant backend applications that use cookies is Google Analytics.  Google Analytics uses cookies to monitor site traffic information and user behavior.

Why do the regulators care so much about these cookies?

Like all things good, cookies can be misused in the wrong hands. While cookies can be convenient for website users, they can turn sinister by tracking and remembering user behavior for monitoring and marketing purposes.

Regulators aim to make users conscious of what they allow, rather than granting marketing companies unrestricted access to collect personal data. Users should be given the opportunity to refuse cookies when they visit a site. Hence, the rise of cookie consent and its management.

How does one be GDPR-compliant with regard to cookies?

For starters, you would need to have a prominent cookie consent banner on the front of your home page. The purpose of the consent banner is to inform your visitors that you are using cookies on your website. The visitor then has a choice of whether to accept and proceed. Should they disagree on the use of cookies, they would not be able to proceed further and have to exit the website.

The banner could be either a pop-up or a banner bar. The bar could be either at the top or the bottom of the page. The pop-up or the banner should have clear and precise information about the purposes of cookies that are placed on the user’s browser. Pre-ticked boxes for cookie consent are now allowed. What regulators would like to see is affirmative action like “accept” or “reject”.

Next, you need to have a cookie policy to inform visitors what cookies are being used on your website and their purpose. This provides visitors with some knowledge and comfort of how their data will be used.

Next, you have to keep a cookie consent log to document cookie consent for proof of compliance in case you come under regulatory scrutiny.

If you need help in implementing any of the above, let’s connect.

Today, almost every country has regulations to protect the privacy and personal data of its citizens. The European Union (EU), is no exception.

On the 25th of May 2018, the EU released its version of the data privacy law. It is called the General Data Protection Regulations or better known as GDPR. Any company caught flouting the rules of the GDPR is liable. They can be fined up to 4% of their annual revenue or 20 million euros, whichever is higher.  

While the geography of most country bounds the privacy laws of the country, the EU’s GDPR is unique. The GDPR is not restricted by geography at all. As long as the personal data of a citizen of any of its member states is collected leaked,  the organization collecting the data would be held liable and fined under GDPR. Under GDPR, the organization or company will be prosecuted even if they do not have a legal entity in the EU.

One of the significant areas of violation for companies is the company’s very own website. The website is a very public application and has such everyone has a view of it, including regulators

In the event of a personal data breach, privacy investigators will inspect your website. They can very quickly ascertain whether you have taken the regulations seriously and put in place measures to be compliant.

Hence to understand whether you would be prosecuted under GDPR, you need to ask yourself the following questions :

• Does your website allow a visitor to add or submit information on your website?

• On any part of your website, can your visitors leave any comments?

• Does your website accept any form of payment?

• Can your site visitors chat with you directly?

If your answer to any of the above questions is yes, then you will be impacted by GDPR if there is a personal data breach. Moreover, you never know which country your website visitor could be a citizen of.

Even if you are not actively doing any business with the EU, you need to understand your GDPR obligations to protect yourself and business.

Let’s have a conversation if you need assistance in this area.