EU’s GDPR – General Data Protection Regulation of 2018 had a privacy predecessor regulation, the EU Directive of 2011 called the Cookie Law. The directive may have been misnamed because there are many different types of cookies stored on your local machine that record your browsing habits. Here are the important ones to which the Cookie Law applies regardless of how they are physically stored on your PC, tablet or mobile device:
- Transient cookies – last as long as your browsing session and ordinarily are destroyed on closing the browser. Ordinarily they do not record personal info but rather are used to facilitate browsing/messaging.
- Session Stored cookies – are used to hold info about users and their service requests. These cookies are stored in a variety of formats and the quality of protection for the info stored varies. And these session cookies may be subject to “sweeping” by unauthorized bots. Users can block these cookies in their browser but websites who use the session cookies may curtail some services.
- Performance cookies – are used to track visits and other browsing habits. So performance cookies store info on your use of a website on many occasions. Normally any personal data is anonymized and aggregated so it should not be traceable back to a person. But not all performance data is anonymized and aggregated. Also performance cookies are also vulnerable to ‘bot’ sweeping cookie info is not properly encrypted/protected.
- Targeting/tracking cookies – are used by a website owner and its partners to build a profile of user interests and show them relevant ads on other sites. These cookies work by uniquely identifying the user, the browsers used, location and other device characteristics. All or parts of the cookie data may be stored locally and on a central server. Again these cookies are subject to data protection vulnerabilities cited above.
- Malicious targeting cookies – are tracking cookies for which personal data and profiles of browsing habits are sold to 3rd parties for use as desired by the 3rd party without the users consent.
As one can see the cookies, no matter how stored, become more serious encroachments on personal privacy as you go down the above list. Hence the EU Cookie Law of 2011.
The other problem with cookies is that they are stealthy. Users are blissfully unaware that their personal data is being harvested until one day after telling friends on FaceBook and Twitter that you are thinking of getting a new laptop…And then you ask a buddy on Gmail what he thinks of the new Dell and Lenovo laptops…. And then Bang! The next morning while visiting your favorite Sports website followed by a quick check of the News you find yourself barraged with laptop ads. Think of what might happen if you mentioned changing condom brands. Hence the appearance and evolution of the Cookie Law.
Cookie Law History
The Cookie Law has, like GDPR, a fairly long history. A Directive in 2002 set out the first outlines of the law that was expanded in 2009 to cover more broadly the protection of data and privacy on the web and in other forms of electronic communication. That 2009 directive was further amended in 2011 and began to be adopted by EU states. Now this is important – a directive is not a law in itself. Rather it is a call for action among EU member states to enact laws that match the EU Directive. Interestingly, despite Brexit, England has done so for the Cookie Law and GDPR.
The Cookie Law has 26 articles [versus 99 for GDPR]. Here is the critical one:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. ”
Now the other key component of the Cookie Law [like GDPR] is that it applies to all Websites and Web Services that have EU citizens as visitors or customers regardless whether that Website or Web Service is based in an EU country. Further if the EU citizen uses the Website or Web Service outside the EU the Cookie Law and GDPR still apply.
Cookie Law and GDPR
As we have already seen, there is significant overlap between the two directives. The Cookie Law maximum fine at €500K is significantly less than the GDPR maximum fine of €20M. But some EU countries have gotten around this limit as seen here:
“Yesterday (10th November) a Belgian court ordered Facebook to stop tracking some non-members across the web. The social media giant was given 2 days to comply, or be issued fines of 250,000 euros per day.” Source.
Also the tougher terms of Consent and Compliance of GDPR are being applied to Cookie Law because of the personal data protections accorded in the GDPR are more comprehensive and yet apply to Cookie personal data. So although the Cookie law is not explicitly referenced in the GDPR it is being applied in EU countries especially regarding consent and compliance.
So the bottom line is that GDPR significantly enhances Cookie Consent in the following ways:
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent. “By using this site, you accept cookies”messages are no longer sufficient.
- GDPR listing of different cookie types will be required. In addition users must be able to consent to different cookie types based on their personal data content.
- It must be as easy to withdraw consent as it is to give it. So Cookie Consent button on the website must be available at all times to allow a user to list their current Cookie consent choices and also be able to change them.
So the bottom line is that websites with EU customers will have to produce not just a Privacy Policy statement but also constantly available Cookie Consent option button which allows users to visit and change Cookie preferences just like the Personal Data option button allows changing or erasing personal data.
Cookie Law Tools
Just as in the case of GDPR where a data audit is the first and most important step to to get started in establishing a viable Personal Data policy, the same is true of a Cookie Policy. Fortunately there are a number of Cookie audit tools:
- One Trust has a free Cookie Audit tool – and lots of Cookie Law documentation
- Cookie Consent hs free code for a simple Cookie Consent statement used on this page.
- EditThisCookie is a Chrome app that shows what cookies are used and then allows changing some of their options. Problem – Attacat cookie audit found many more cookies than EditThisCookie on a number of website tests.
- Attacat Cookie tool lists all the cookies found by touring all the pages on the website. Attacat finds more cookies than any of the other tools. But it does not support changing the cookie usage and options.
- Each of the browsers now has tools [often buried in the bowels of the browser] for listing the cookies used and turning them completely off or restricting their options. This is only indirect control because it only applies to your browsing experience, not your website users.
The bad news is that there are no tools for turning off invasive, 3rdparty cookies other than to go to each “agent of invasive tageting” and turn each off one by one. The good news is that Cookie and GDPR Management is fast expanding field so controlling plugins/apps will surely appear in the market place.
Summary
GDPR and Cookies Management is a case of good news versus bad news. The Good News is that EU GDPR and Cookie rules now apply worldwide except on the increasing exception that is the Chinanet. The Bad News is that there are so many Malicious Tracking players led by Facebook and Google invading and inserting themselves on your website without an ounce of permission and bland support for controlling those incursions. Not Good.
©JBSurveyer @ ImagenationIT 2018