The General Data Protection Regulation or GDPR is a law enacted by the European Union that makes it imperative for webmasters to get explicit consent from internet users, acknowledging the use of cookies by their websites for specific purposes. Cookies have been in use for over three decades now. Websites use tiny files of text that are stored in desktops or laptops and now phones of users. These files or cookies track user activity, not just on the website operated by the webmaster but also across the web using the particular browser. Some cookies can also track offline activity. These cookies are primarily used for marketing purposes. There may be other purposes as well, such as research and statistics.
An Overview of Cookies and their Usage
Cookies have been used by webmasters around the world without the explicit consent from users. Many users have been aware of cookies and how they work but most people are unfamiliar with the sharing of personal data without their permission. Different legislations over the last decade have tried to regulate the use of cookies and how webmasters gain consent. Not too long ago a law necessitated websites to mention clearly that they use cookies. This message was often displayed at the bottom of the homepage or in the terms of use webpage of the site. The message was simply a notification or disclosure. This did not serve the purpose of getting consent. It was presumed that users would read the message and automatically allow the websites to use cookies and track their activity.
The GDPR changes how websites can use cookies and specifically how the disclosures are to be made to gain consent. GDPR coupled with ePR or ePrivacy Directive now mandate website owners or webmasters to use cookies including online tracking of European users only when there has been an explicit content. This means users should agree to the use of cookies when they are accessing the website. Simply browsing the website without such acknowledgement and hence explicit content does not mean the webmaster can run cookies to track the user. The webmaster is of course at liberty to make the website inaccessible to those users who do not agree to accept the usage of cookies.
Overview of the GDPR
GDPR or General Data Protection Regulation is a European legislation, applicable to all member nations of the EU and all websites that receive visitors from the European Union. The regulation aims to control how personal data is accessed, handled and used by websites. This is widely deemed to be the most important piece of legislation pertaining to data protection in the last two decades. The basic principle of the legislation is the empowerment of people or internet users to determine how their personal data will be accessed, tracked and used by websites and people operating the sites. Data protection, privacy and security are the fundamentals that this regulation tries to secure.
GDPR wants complete transparency between webmasters or their websites and internet users or citizens of the European Union. The regulation requires organisations and individuals operating websites to seek explicit content from the users to express their approval of cookies tracking their activity and their personal data being stored and used for different purposes. The General Data Protection Regulation clearly mentions that name, email address, contact information, internet protocol, banking details and any such data that can be used to identify an individual, in the real or virtual world, should be accessed, stored or utilised in any way only if the person is aware of such activity and agrees to have their data be dealt with by the webmaster or website owner.
GDPR has a comprehensive list of what it classifies as common personal data and sensitive personal data. Common personal data includes name, phone, address, email, age, gender, employment status, job or position, credit information, purchase history, other customer information and internet protocol address. Sensitive personal data includes ethnicity, race, genetic data, biometrics, religion, political view or ideology, association with trade union or other organisations, sexual orientation, relationships and health information including medical history.
Cookies can be used to track such types of data if the user has provided their consent. The consent should be specific to how the data will be used. For instance, websites may only collect and record data. Websites may also organise and structure such data and sell them. Websites may use such data for marketing purposes. There may be third party marketers or websites that would use cookies on a different website, with the approval of the respective webmaster. Sharing such data for any purpose should also be clearly mentioned in the banner declaring the cookie policy of the website. Webmasters not in compliance with GDPR will be in violation of the law and will be severely penalised. There is a provision for steep fines for websites that breach the regulatory act.
Cookies Compliance as per GDPR
Websites should have a cookie banner or a clear disclosure that explains how the personal data of a person will be obtained, stored and used. The cookie banner should have an option for the visitor to accept the cookie policy. There could be two options for yes and no. There can be one option for okay or accept. There should be a cross sign or opt-out button for those who are not willing to accept the cookie policy. This is the way to obtain explicit consent. Till such time the cookie banner or a pop-up disclosure records the explicit consent of the visitor, the website cannot start tracking the user or cookies cannot be deployed.
Even if a visitor agrees to accept the cookie policy at one stage, there should be a provision for the same person to take back their consent. This can be available as a dynamic cookie banner or an option in the terms of use. An individual has the right to provide and withdraw consent at any time. It is for the webmaster to determine if the website will still be fully operational for visitors who do not wish to provide their consent. The cookie banner should mention exactly how the personal data of the visitor will be used. The language should be lucid. The message should be concise and yet informative.
GDPR and its provisions are not limited to the correspondence between a website and the visitor. Beyond the disclosure and consent or otherwise, webmasters should adhere to the guidelines of the regulation in regards to storing the data, using it in myriad ways and sharing it or disseminating it with other parties. There should not be any compromise on data security or privacy of individuals. Visitors to a website should also be provided the right to delete all their data, should they request so. Any individual has the right to have all their data deleted at any stage they wish. Websites should immediately comply.
Websites should also have an illustrated webpage to describe all cookies. If a visitor wants to check out this webpage and learn about different cookies, then this should be facilitated and the user has the right to check or uncheck all unnecessary cookies. There are some cookies that are necessary for the functioning of the website and these do not access or track sensitive personal data. The consent obtained from a visitor should be sought again in twelve months. The GDPR and ePR require websites to get the initial consent renewed after disclosing changes to the cookies policy, if any.
Cookie Policy 