GDPR Compliance Means Cookie Notices Must Change
You’re probably one of those people who ticked the cookie law box ages ago and hasn’t thought about it since.
The game has changed and it’s now time to revisit your position. The ePrivacy Directive, which gave us the cookie law, is currently undergoing a revision, but the real issue now is the EU GDPR. It may be 2018 before it is enforced, but it’s now being enforced by law and has already tightened up the rules as well as increased penalties for non-compliance.
While there may be some time before GDPR is officially in effect, it’s important to begin thinking about the changes an organization will need to make now, especially those with multiple websites.
OneTrust recently attended the PDP 16th Annual Data Protection Compliance conference in London, where a leading UK barrister discussed the topic of cookie compliance.
With that, here are the some of the top issues for cookie consent that the GDPR raises:
Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous or if they do not directly identify an individual, will be considered personal data if there is potential for an individual to be identified or singled out. Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for personal data. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws.
Implied consent is no longer going to be compliant. There are several reasons for this, primarily due to the GDPR requiring users to make an “affirmative action” to signal their consent. Simply visiting a site for the first time would not qualify, so loading up your landing pages with cookies in the hope people won’t opt out will no longer suffice.
Advice to adjust browser settings won’t be enough. The GDPR says it must be as easy to withdraw consent as it would be to give it. Telling people to block cookies if they don’t consent would not meet this criterion. This method is difficult, ineffective against non-cookie-based tracking, and doesn’t provide enough granularity of choice.
“By using this site, you accept cookies” statements will not be compliant. If there is no genuine and free choice, then there is no valid consent. People who don’t consent can’t suffer detriment, which means you have to provide some service to those who don’t accept those terms.
Sites will need an always available opt out. Even after getting valid consent, there must be a way for people to change their minds. Again, this comes down to the requirement that withdrawing consent must be as easy as providing it.
Soft opt in is likely the best consent model. Organizations may want to start giving site visitors an opportunity to act before cookies are set on a first site visit. If the site has offered fair notice, continuing to browse can in most circumstances be valid consent via affirmative action, but be sure to note the above bullet about implementing a persistent opt out route. This, however, may not be sufficient for sites that contain health-related content, or other sites where the browsing history may reveal sensitive personal data about the visitor. Those particular cases may require explicit consent.
You need a response to Do Not Track browser requests. A DNT:1 signal is a valid browser setting that communicates a visitor’s preference. It could also be interpreted by regulators as an exercise of the right to object to profiling.
Consent will need to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose, e.g. granular levels of control with separate consents for tracking and analytics cookies.
Most sites right now would fail on many of these criteria, and with the high risks associated with GDPR non-compliance (fines of up to 4% of annual returns,) most organizations won’t want to fail even once. If this describes you, it’s time to take action.