gdpr-safety_EU
Home Resources Articles GDPR cookie consent - now and in the future

GDPR cookie consent – now and in the future

Tracking Cookies and the GDPR: Why not all cookies are the chocolate chip kind? What are tracking cookies and what are they used for? Read more.
by Usercentrics
Jul 14, 2021
gdpr-safety_EU
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

The internet loves acronyms and initialisms. For your company’s success, it probably doesn’t matter whether you know what most of them mean, as long as your website works and you can be open for business.

 

But if you do business online, there’s one set of letters in particular that you may have seen. It’s an important one to know and even more important to understand: GDPR.

What is GDPR?

GDPR stands for General Data Protection Regulation. It’s a European Union (EU) law designed to protect the privacy of individuals’ information. You may also have heard of PII, or personally identifiable information, a related term that’s starting to become more widely known in the US, thanks to greater government interest in privacy law. It’s PII that the GDPR seeks to protect.

 

The GDPR gives people control over what personal information can be collected and used by companies.  

In recent years the tech industry has come under increasing scrutiny as more and more people have become aware of just how much personal information they are inadvertently giving up to these companies. Perhaps more importantly, people have realized what those companies have been doing with their personal data.

A rather famous example of the misuse of personal data is the story of Cambridge Analytica and its relationship with Facebook. Together they mined the data of up to 87 million Facebook users to build voter profiles for targeted political advertising. The aim of this was to influence the results of the 2016 US presidential election. 

 

None of those people had consented to their information being used in this way, and it’s unlikely that many of them would have consented had they been informed.

 

When respected newspapers on both sides of the Atlantic broke the story in 2018, it created a huge public uproar. Using innocently provided personal information for political manipulation felt like a huge breach of trust, with more than a whiff of corruption.

 

But data mining isn’t limited to political campaigning purposes.

 

Every time we use a loyalty card we’re letting a company know our preferences. Every time we share a meme, that information is saved. Every search query we type is logged. (Did you know you can look up your Google search history? All of it?)

 

This information helps advertisers target ads, enables research, supplies data to sell to brokers, is used for insurance company analysis… and the list goes on.

 

And this use of data, in theory, is fine.

 

You’d probably rather see ads for things you’re interested in, or if data analysis shows your demographic is low-risk for driving then you may well pay less for insurance. 

What the GDPR is designed to protect and enforce is consent. People are free to give away personal information – as much or of whichever kinds they like – as long as they know what information they are giving away before sharing it, understand how it will be used, and explicitly consent to doing so.

 

Now, if you’re based outside of the EU you’re probably wondering what this has to do with you. Potentially a lot. Geographical borders matter less on the internet.

 

If you run a website visited by or doing business with people in the EU, then the GDPR applies to you and your business.

 

In the unlikely scenario that your business is extremely localized to an area or market entirely excluding the EU, even if you leave third-party cookies on the computer of a visitor to your website (who happens to be in France, let’s say) you have become their data controller in the eyes of the law. Which means you have legal responsibilities.

 

The website visitor doesn’t have to be a citizen or a resident of the EU, just in that territory when they use your site, and then their rights under the GDPR are protected.

 

The GDPR is concerned with the processing (use) of personal data within its territory as well, so it doesn’t matter if goods or services are received or used in a non-EU country. If personal data is received, held, or processed within the EU, the GDPR applies.

 

If you violate this law there are potentially huge fines to pay.  

Take Google for example. They were fined nearly € 50 million (~$60 million USD) in 2019 by the Commission nationale de l’informatique et des libertés (CNIL), French data regulation authority, for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

 

Marriott International was fined € 16.8 million in 2018 when over 300 million guest records, 30 million of which were EU residents, were revealed when their reservation system was subject to a cyberattack in 2014. It took four years for the attack to be discovered. You can just imagine the sensitive nature of the PII in that system, reflected by the fact that the original fine was over € 115 million ($170 million+ USD).

 

When it comes to fines, the EU means business. The maximum fine for a violation is € 20 million or 4 percent of annual global turnover (revenue), whichever is greater.

 

Although there is no federal law in the US when it comes to cookies and processing personal data, to date three states have passed data privacy laws (California, Virginia and Colorado) and a number of others have drafted legislation to protect consumers from nonconsensual data use, among other goals.

 

The important thing to understand regarding the GDPR is that it’s not about controlling or regulating businesses, it’s about protecting the rights of “data subjects”, which is anyone in the EU. However, the onus is on you and your business to meet GDPR requirements and protect personal data.

What counts as personal data?

Personal data is any information that can identify an individual. For the average website operator that’s likely to be first and last names, email addresses, location or IP addresses. If you perform transactions, this would also include credit card information.

 

If your business is in the medical or health field you may well hold sensitive personal information, which requires additional protections due to its nature.

 

Sensitive data or personal information is defined as:

 

  • race or ethnic origin 
  • political opinions
  • religious or similar beliefs
  • trade union membership
  • physical or mental health condition
  • sexual history or orientation
  • criminal history or alleged criminal history and the consequences
  • genetic data
  • biometric data

 

To comply with the GDPR you can only process personal data on the following legal grounds:

 

  • necessary for the performance of a contract
  • compliance with legal obligations
  • necessary to protect the “vital interests” of the data subject
  • necessary for tasks carried out in the public interest
  • necessary for the purposes of legitimate interests pursued by the controller or by a third party
  • with the explicit consent of the data subject

 

To legally process sensitive personal data you must meet at least one of these conditions:

 

  • employment, social security, and social protection (if authorized by law)
  • vital interests
  • not-for-profit bodies
  • made public by the data subject
  • legal claims or judicial acts
  • reasons of substantial public interest (with a basis in law)
  • health or social care (with a basis in law)
  • public health (with a basis in law)
  • archiving, research, and statistics (with a basis in law)
  • with the explicit consent of the data subject

 

That’s a lot of legal detail, but the final point for each category is the most important one. However you intend to use personally identifiable information, barring your intent to use and ability to prove one of the other conditions, you need the explicit and informed consent of the person supplying it before you even start collecting it.

What are cookies?

If you have something simple like an email marketing list or contact form, you’re collecting information that can identify someone, but that should be obvious to the visitor. They have supplied their personal information so you can communicate with them. Assuming that’s all you use it for, then you are in compliance with the GDPR.

 

Tracking technologies, including cookies, are a different story. Cookies are small text files that get stored in web browsers. In some ways they make the online world go ‘round. Most people don’t remember the internet before cookies were in use to store your preferences, behaviors, and other frequently accessed data. We are very much used to the convenience they provide.

 

Let’s take a look at the main categories of cookies.

Session Cookies

 

These are also known as temporary cookies and they’re what keep items in your cart until you check out. A website has no memory and is just a bunch of code, so if the site couldn’t log or “remember” your interest in purchasing an item, it wouldn’t be there to check out. They are a type of first-party cookie as they are set by the website you’re visiting.

 

If you’ve ever gone to check out an online order and your cart is empty, it’s because a session cookie wasn’t installed correctly on your computer, or your browser settings don’t allow them. They also disappear when you leave the site, aka close your session.

 

Persistent Cookies

 

The more you use a website, the more persistent cookies will remember your preferences for next time. When you check “remember me for next time” or “keep me signed in” so you don’t have to enter login information every time, a persistent cookie is stored. 

 

They stay until the cookie expires, which tends to be a long time, regardless of whether or not you leave the website or or close the browser entirely. These are also first-party cookies.

 

Third-party Cookies

 

These cookies collect your behavioral data to be used by (or sold on to) advertisers.  The data from these cookies enable them to show you targeted ads and are why, after you look up something on the internet, you’ll often start to see ads for it everywhere.

 

Cookies are generally very useful to web visitors, but because they’re invisible to the user experience, the average person has no idea what information is being tracked or what the data collector is doing with it.  

 

With the GDPR cookie consent requires you to gain explicit, informed, and non-influenced consent from every single EU visitor before any cookies are placed in their browsers. If you don’t, you’ve broken the law.

 

There are several conditions you must meet to legally comply with the GDPR definition of valid consent:

 

  • consent must be obtained before you process any data
  • request for consent and purpose of data collection and processing must be clear and unambiguous
  • specify all types of cookies and other tracking technology you use
  • make it as easy for people to consent as to reject use of any or all tracking technologies
  • accurately and securely log each consent
  • ask users to review their consent on a regular basis so they can change their minds (must also be easy to revoke previously given consent)

 

So to comply with the GDPR you need to offer website visitors opt in or opt out choices. With Usercentrics Consent Management Platform (CMP), for example, visitors can opt in or out of granularly listed web technologies. If visitors are not given granular consent options, the consent management “solution” is not GDPR-compliant.

 

To accomplish fully compliant consent management, you need a legally compliant privacy policy and a system to manage consents.

The GDPR came into effect in May 2018, so businesses have had a few years to learn and adapt their practices. In 2020 the EU reviewed the first two years of this legislation in practice and gave insight into how the GDPR might look in the future.

 

Their report declared that 69 percent of the EU population over the age of 16 had heard about the GDPR and 71 percent knew who their national data protection authority was.

 

What this means for business owners is that EU citizens, particularly, know their rights and how to exercise them.

 

DSAR is another initialism to add to your need-to-know list. It stands for Data Subject Access Request. 

 

These four letters may cause the utterance of other four-letter words, as DSARs are a requirement of the GDPR that can be time-consuming and resource-intensive to comply with.

 

Essentially, individuals have the right to contact companies that have their data, and make requests about it. For example, asking for a copy or asking it to be deleted. The company receiving the request would have to reveal all information held on the data subject (though under some laws there is a limit on the time period required). These requests often look for instances of breaches of the GDPR.

 

In the US, five federal laws include a right to access personal data:

 

  • Federal Credit Reporting Act
  • Family Educational Rights and Privacy Act
  • Children’s Online Privacy Protection Act
  • Health Insurance Portability and Accountability Act
  • Privacy Act of 1974

 

As well as these federal laws, as previously mentioned, some states are taking consumer privacy into their own hands, resulting in laws like the California Consumer Privacy Act (CCPA). It also enables data subjects to request access to personal information that companies hold on them.

 

What this means is that business owners almost everywhere can’t ignore consumer privacy, because consumers won’t.  

 

Emboldened by increased publicly available information and their legal rights, some individuals are actively searching for examples where businesses have misused their personal information. If those businesses haven’t recorded explicit and valid consent, they could be in trouble. 

 

The GDPR entitles people to damages, but doesn’t provide full private right of action, aka the ability to sue a company that is in violation. The CCPA does provide private right of action, and case law is starting to clarify interpretation of the law. None of the other US state data privacy laws include private right of action, however.

 

At the same time, Silicon Valley tech companies are spending eye-watering amounts of money lobbying for access to personal data and the right to exploit it. In good part because they’ve been able to do so largely with impunity until now, and have made hundreds of billions of dollars from it. They say it’s the inevitable price of human progress, but let’s face it, they also don’t want that tap turned off.

 

Public and political sentiment suggest that increasingly, however, it’s not a price we’re willing to pay.

 

The GDPR is not going away, and is evolving with greater strength, clarity and reach. As businesses shore up their privacy policies to comply with the GDPR, they’re demanding supply chains in every industry comply, too, whether directly relevant or not. (Generally, third parties that a company does business with also have to have privacy agreements in place and be in compliance.)  

 

The result is, ideally, something of a domino effect, where suppliers fall in line to keep their contracts, and in turn demand the same compliance from the suppliers they do business with.

 

The same goes for investors and acquisitive companies. No one wants to put money into a business that might take a huge financial penalty because they’re playing fast and loose with personal information. It’s just not worth the financial or reputational risk anymore.

 

So whether companies are legally required to have a data privacy policy or not according to local law, increasingly they are studying GDPR compliance (which is the most well established) because of pressure from multiple sides. And also because it’s the right thing to do for customers and visitors.

 

If you have any dealings with EU businesses or are about to renew a pre-GDPR contract, it will have terms relating to data sharing, transfer and use, and you will need to have a water-tight GDPR-compliant data processing policy.

 

While the GDPR may not be the literal law of the land in all countries, it definitely has global influence.

 

Consumer privacy is already written into laws around the world, in countries in North and South America, Africa, and Asia in addition to Europe. Additional nations and regions will develop their own versions of the GDPR, and while the US will likely eventually have a federal data privacy law, in the meantime we can expect more and more states to follow California’s lead and pass their own legislation.

 

SMEs (small and medium business enterprises) that want to do business globally or have international visitors to their websites (and when you’re on the internet, it’s kind of hard not to), need to comply with the GDPR now. Risks of noncompliance aside, having the entire world as your audience or potential customer base is an attractive prospect.

 

Cookie consent and a comprehensive data privacy policy are a priority for any size business, anywhere in the world, that owns and operates a website and processes data (which they all do).

 

For a comprehensive and customizable consent management system to make data privacy compliance clear and easy to adopt, not to mention helping you increase your consent rates, Usercentrics is the market leader. Our system empowers business owners to obtain, manage and document audit-proof consent across all platforms.

 

It may seem like an exercise in future-proofing your business, but privacy is already the new normal. The future is here.

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.