Until a couple of years ago, here in the UK we were all trying to adhere to the Data Protection Act of 1998. In May of 2018, new guidelines were implemented known as GDPR (General Data Protection Regulation). These rules were created by the EU with particular use with modern technology.
But given how new these rules were, there was a lot of compliance that companies had to do suddenly. This obviously left room for things to go wrong and for breaches to occur. Cookies have been a feature of the internet for a long time. But some sites and companies found themselves on the wrong side of GDPR compliance with the introduction of new rules.
What are cookies?
Cookies were first introduced in 1994 by Lou Montulli. They are small bits of text data that are stored on a browser. Websites keep a track of this information for tracking and to adjust their website as needed. It is in tracking the user activity that these cookies cause security concerns. Websites mine this data, both individually and collectively, to produce targetting advertisements and marketing.
This has caused big controversies over the last couple of years, including the Cambridge Analytics scandal. This breach revolved around mining data from US and UK electoral voters. These people would then get targetted adverts which could potentially affect election results. Christopher Wylie, who was involved in obtaining the data said: “We exploited Facebook to harvest millions of people’s profiles… built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”
ICO GDPR breach
In light of the information above, the ICO (Information Commissioner’s Office) themselves were reported for GDPR breaching due to automatically placing cookies on mobile-users accessing the site. They looked into this claim and a spokesperson for them said, ‘I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard.’
They then had to say that they were going to bring their cookies policy into line with current regulations. Not only does this show just how hard it can be to apply with data rules in modern times, but how easy it is to get it wrong.
So what are cookies GDPR regulations?
The ICO states that in order to have GDPR safe cookies: ‘
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.
There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).’
What to take away from this
This all teaches us a lot about good data regulation. There are some important tips to remember about how to stay on the right side of the laws and make sure other are doing the same:
– You must tell people that cookies are used.
– You must explain what they are being used for
– Consent must be given in line with the intended use of cookie data.
– Data regulation is not confined to cookies.
– Not abiding by GDPR is easy to do, so stay aware of existing and new rulings.
If you can keep up with all of this, you won’t go far wrong.