As we outlined earlier this week, organizations that collect personal data from European data subjects need to start paying attention to how GDPR will impact their general business practices, and evaluate their need for compliance.
For marketers, the biggest concerns surround the issues of data collection and consent. Online, one of the most common ways of collecting data is through the use of “cookies,” small packets of data left by websites on web browsers.
Privacy concerns surrounding cookies has been an issue for several years now. Under GDPR, it’s important to understand that personal data, like IP addresses and other information collected by cookies, is not a corporate asset, but is owned by the data subject.
Here’s a breakdown of what you need to know:
What are cookies?
Cookies are pieces of tracking data which are placed by websites on users’ browsers. They serve a number of different purposes. For example, websites might use cookies to track whether a user is logged into an account, whether they’ve added or removed items from their shopping cart, or to track browser history to create more personalized user experiences.
Cookies can also be used by third parties to track user browsing history. Common third party use cases include advertisers who want to track traffic from ads placed on other websites.
How does GDPR impact cookies and consent?
Privacy concerns surrounding cookies aren’t new in the EU – regulations surrounding cookies and consent were first adopted in 2011. As Guillaume Marcerou, Criteo global privacy director wrote in a recent blog post:
“One of the most discussed issues for the digital marketing industry is that technical identifiers such as Cookies and Mobile Advertising IDs are now considered personal data. While this may seem like an exceptional development to many US-based companies subject to the regulation, this was already the case in many EU countries including France.”
Here’s what’s different. Under GDPR, “all EU member states must treat cookies and other technical identifiers as personal data.” Parties who violate these regulations will now also be subject to penalties, which could amount to as much as 4% of global annual revenue, or €20 million, whichever is greater.
U.S. companies that collect the personal data of European data subjects must comply with the new rule.
Asking for consent under GDPR
In order to be compliant, organizations must ensure that consent for processing and storage of personal data is “freely given,” with that consent sought in “clear and plain language.” Request for consent is not regarded as “freely given” if it is granted under conditional terms, or as a conditional provision where consent is not critical to the “performance of the contract.”
“What you need to do is make sure you are providing a comprehensive cookie notice,” Marcerou told me in an interview.
Simply put, this means brands must explicitly educate users on how they plan to use their personal data, on an opt-in basis. More importantly, organizations can’t restrict website usability or services based on whether or not consent was granted.
“Publishers will still have to make their content available,” Doug McPherson, Chief Administrative Officer and General Counsel at OpenX, a programmatic advertising company, said.
Consent is not required for cookies that are used specifically for the collection of “non-sensitive personal data” – like a cookie that is used to track items in a user’s shopping cart. However, if a cookie collects any personal data, which, under GDPR, includes IP addresses that are tied to users, this could be considered an infringement on regulation and subject to penalty.
Though third-party cookies are not owned by the sites they are dropped on, companies that allow these cookies can still be held liable for violations associated with data collection.
“In general, a website owner can be held liable for GDPR violations by a third party that is collecting EU personal data by dropping pixels.” McPherson said.
When to ask for consent
Under GDPR, it is imperative for organizations who distribute cookies to allow users to express consent before the cookie is dropped. In many cases, cookies are dropped upon a user’s arrival at a website to track attribution. This could a problem for companies under GDPR.
“Even if the user refuses the user cookie, the cookie is already dropped and the cookie is already tracked,” Marcerou said.
To remain compliant, companies must ensure that personal data or other identifiers are only collected after a user expresses consent. This can be done by launching an opt-in banner immediately a user enters the site. Brands should also make their privacy policy clear and accessible to users.
“Clear consent must derive from the use of the cookie for a specific purpose,” Marcerou said.
According to Marcerou, despite these apparent restrictions, the breadth of the GDPR directive is actually intended to create a more unifying body of laws regarding data privacy: “To ensure a free flow of data across the member states,” Marcerou said.