CATEGORY: INTERNATIONAL LAW
On May 25th 2018, the General Data Protection Regulation (“GDPR”) entered into force, representing the most significant initiative on data protection in 20 years. Arguably, the most notable alteration in the everyday life of citizens is the “cookie pop-up” on -almost- all websites. Nowadays, when entering a website, the first thing the user sees is a message equivalent to the following:
The official definition provided by the European Commission for “cookies” provides that a cookie is “a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing.” Their purpose is to allow the website to "remember" the user’s actions or preferences over time.
Surprisingly, cookies are only mentioned once in the GDPR and not even in the main body of the Regulation. The sole reference is found in the recital No.30 of the Regulation:
“(30) Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
These few lines have a massive impact on the compliance of cookies, basically stating that when cookies can identify an individual directly or indirectly, it is considered personal data. The GDPR considers a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address as personal data. Examples of cookies that could identify users are cookies for analytics, advertising and functional services, such as survey and chat tools.
The usual problem with cookies lies on the notion of “consent”. In order to secure the compliance with the data protection requirements, website administrators use the “cookie pop-ups” in order to receive the consent of the website user to acquire, store and track his or her identifiable data.
The lack of consent represents a major breach from a legal point of view, and due to the indifference of website owners and administrators, the user’s privacy is increasingly compromised. The user is not in a position to be aware neither of which personal data is tracked and saved, nor of who is tracking users, for what purpose and for how long. Undoubtedly, the aforementioned are vigorously opposed to both the spirit and the letter of data protection regulations and therefore many website administrators and owners may be in breach. The consequences of non-compliance may be economic (e.g. fines), reputational (e.g. negative publicity and lack of trust) or commercial (e.g. obstacles in concluding agreements with other companies).
The question arising at this point is, how does a website administrator ensure that a website and its cookies are compliant with the GDPR? The answer is mainly found in the ePrivacy Directive (Directive 95/46/EC) which provides for the protection of privacy and all personal data collected in relation to EU citizens for reasons of processing, use and data exchange.
Combining the provisions of the GDPR and the ePrivacy Directive, the following guidelines for website administrators emerge:
Based on the abovementioned, a GDPR compliant cookie message would be the following:
To conclude, the safeguarding of a subject’s personal data constitutes a significant aspect of the right to privacy. Website owners and administrators are obliged to operate in a manner which guarantees the protection and respect to a person’s personal information. The need for data protection in the internet environment nowadays is greater than ever before, and non-compliance with the previously mentioned principles will not be tolerated.
Author: MARIA LAZARIDOU