New Regulatory Challenges

New Regulatory Challenges

With the EU General Data Protection Regulation (GDPR), coming into play on the 25th May 2018, consent management has become an urgent matter for everyone.

The GDPR’s provisions regarding consent do not only target data stored in the case of contracts but also data used for marketing purposes and even cookies.

Oftentimes, companies fail to provide customers sufficient data privacy, leading to unprecedented volumes of exposed data. By far, the biggest data breach of the 21st century is the one Yahoo suffered in 2013, exposing 3 billion user accounts and personal identifying information (According to CSO Online).

The GDPR is not the only law dealing with consent. While the changes it brings seem to have the greatest impact, consent is an important aspect in other legislations as well. The following figure presents the data protection laws across the world, providing a comparison between various such laws.

“Technology trust is a good thing, but control is a better one.”
Stephane Nappo

Cookies are small pieces of data stored on a user’s device which allow websites to recall actions or preferences.

The GDPR will change the current Cookie Policy, and the way cookies consent is managed. Prepare to say goodbye to the classic notice “By continuing to navigate on this website you agree to cookies”.

Once the GDPR is in place, you will need specific consent for each type of cookie you plan to store on the users’ computer. You’ll also need to give them the option to opt-out of cookie consent just as easily.

"Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
GDPR Recital 30

Cookies As Personal Data

Under the GDPR, cookies are perceived as personal identifying information (PII), which means that after the 24th of May, website owners will need to make 3 key changes:

"By using this website, you accept cookies" will not be enough. The data subject needs to be given a real choice. That type of phrase is not informative as to why cookies are needed and does not give an alternative. Website owners will not be able to constrict users by forcing them to accept cookies if they need an information from their website.

Consenting to cookies needs to be a clear affirmative action. We can include here clicking through an opt-in box or choosing certain settings in a menu. As already explained visiting a website does not imply consent.

Websites will need to provide an opt-out option -it must be as easy to withdraw consent as it was to give it. This means users should be able to remove consent through the same type of action as when they gave their consent. For example, if they clicked through some boxes on a form on the website, they need to be able to find the same form to revoke consent.