GDPR from a Cookie Control Perspective
This blog will discuss what implications the new legislation brings and how we should prepare for its release. It will not be enforced before May 2018, however, the changes it prescribes for organisations holding their User’s Personal Data are significant and planning for this needs to be considered now.
It is worth noting that it's obvious the law was written with social networks and cloud providers in mind. However, it does have implications for the usage of Cookies and similar technologies, which we will cover in this blog post.
According to GDPR, Cookies can be considered Personal Data:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” (Page 30 of the GDPR Regulation)
It is important to note that not all Cookies are considered Personal Data; only those which can be used in a way that could profile the users and identify them. These can be considered as Personal Data and hence are subject to this legislation.
This may or may not include analytics Cookies, it depends on how you use them, and it will almost certainly include advertising Cookies that are placed by your “ad” plug-ins. It will also include several other functional Cookies that your website might use.
Changes to the ‘Consent’ Model
GDPR brings big changes to the ‘User Consent’ model, specifically, the ‘Information Only’ and the ‘Implied Consent’. These models are no longer compliant, meaning that you cannot take the user’s consent for granted or assume it has been given:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” (Paragraph 32, page 6 of the GDPR regulation)
This is further emphasised later in Recital 42 of the GDPR Regulation, which states that “consent” is not considered to be “freely given”, if you refuse to provide any of your services unless the user consents to the use of their personal data. In other words, if users do not consent to the use of their personal information for analytics, they should still be able to use your website in some way.
Finally, it is necessary that users will have the option to withdraw their consent at any point, as is stated in “Article 7 - Conditions for consent”. The same article also clearly mentions that when consent is given, the “data controller” (your organisation) will be required to be able to demonstrate / prove it has been given at a later date, if asked.
Another significant change the new legislation bears, is its Global reach. This means that it applies to organisations that are based both inside and outside the European Union (EU), if they manipulate the personal information of users that are based in the EU. This also means that all Member States should comply to the new regulation as is, so there will be no differences in the way you should craft your website regardless of where your audience and visitors come from.
Cookie Control Compliance with GDPR
Cookie Control in its current version, 7.2 is a remarkably stable and customisable plugin. It is already compliant with most of the requirements of the new legislation in its current delivered form.
It already supports a clear, explicit consent model, and allows users to change their choice at any time. You can control which Cookies should be placed until the users give their consent to specific or all of your Cookies.
It respects the users’ “Do-Not-Track” setting in their browsers. It even goes beyond Cookies and treats other formats of persisting information, like HTML5 Web Storage, just like Cookies, meaning it does not allow data to be stored in it without the user’s consent.
For the rest of them, such as granular consent management for different types of Cookies, its extensive and well documented API allows them to be implemented in a fairly straightforward manner.
That being said, we are currently working on the next version of Cookie Control which will be released in the next few months, along with a new configuration tool on our website. The full legislation will be supported easily and in this new extended version.