Insights Blog What You should know about Cookies, Privacy Policies and the GDPR

White Paper

What You should know about Cookies, Privacy Policies and the GDPR

What You should know about Cookies, Privacy Policies and the GDPR

Often when we are browsing on the internet, we click on websites that inform us that the company is using cookies.  Cookies are small text files which are downloaded from a website to the website’s users’ computers. They are used to collect information about that user.  Cookies collect data ranging from web browsing history, in-website browsing history, and the user’s location to personal information such as name, address, phone number, email address, and the names of friends, associates and family members.  And the ability of software to scan your photo is currently under development!

There are several types of cookies including session cookies, persistent cookies and first and third-party cookies.  Session and persistent cookies refer to the length of time the cookie collects data whereas first and third-party cookies refer to the organization placing the cookie.

Session cookies collect data only during the browser session.  They are the least privacy-invasive, usually used only for remembering logins and user selections.  Persistent cookies are stored on the website user’s browser.  Data is collected from each session and sometimes across websites.  The data collected is used to track user preferences and target marketing directly to those preferences.

First-party cookies are placed by the organization whose website the user is visiting.  Third-party cookies are placed by separate organizations, usually those organizations have links embedded in the website that the user is visiting.  Examples of third parties from whom cookies can be placed include Google Analytics, Share This and Google AdWords and Remarketing.  First and third-party cookies usually are the most privacy-invasive as they are used to collect our personal data.

Why do organizations use cookies?

Usually, the company will give us benign reasons for using cookies including providing a better customer experience, offering targeted advertising, enabling easier navigation and prepopulating forms. Cookies usually save login information and can save personal information that you enter, for example, the address and credit card data that you use when making an online purchase.  Although this improves your user experience by increasing the convenience of your user journey, your private data may be at risk.  Whether or not you enter personal information, cookies collect your IP address and from that, the organization can identify you!

Moreover, cookies usually benefit the company far more than the user.  Organizations use the data collected through cookies for a variety of purposes such as regional and marketing analytics. Some may even sell your data to other organizations that use it for marketing purposes.

Do we have to accept cookies?

We are usually asked to approve the use of cookies, yet, often, they have been already downloaded to our computers before we click approve.  Sometimes, unless we agree to their use, we are not able to continue our journey through the website.  Especially if we really need information or we really want to purchase something, we may click on approve without finding out exactly what information is being collected about us.  We can find out about what data is being collected and what it will be used for by reviewing the organization’s privacy policy.

What are Privacy Policies?

Companies should disclose the information they are collecting through cookies in their privacy policy.  A privacy policy is simply a document in which an organization explains how it manages and protects data that it collects about individuals including customers and employees.  At a high level, an organization’s privacy policy should describe what personal information they collect, how they collect it, how they process it, where they store it, what they use it for and the legal basis for doing so.  Specific information that should be included in a privacy policy includes the following:

  • Business Name and Contact Information
  • Types of personal data collected
  • Why this data is collected
  • How the data is used
  • How the data is shared with third parties
  • How to opt out of data collection

Privacy policies are required by law in many nations.  Some nations that have legal requirements for data privacy include the United States, the countries included in the European Union, Australia, Canada, India, Singapore, and South Korea.  In the US, the Federal Trade Commission regulates data privacy.  In the EU, data privacy is regulated by the GDPR.
As consumers and website users, it is important to review the privacy policies before accepting the use of cookies.  Organizations’ privacy policies vary in the amount of information they provide and the level of detail at which the provide it.  Here are examples of well-written privacy policies:


Cookies, Privacy Policies and the GDPR

For those of you who are citizens of countries in the European Union, the GDPR requires organizations to provide specific protections for the private data that they collect.  The General Data Protection Regulation or GDPR has been in place since the end of May 2018. It protects the rights of EU individuals’ personal data from misuse, data handling errors and data sharing where there is no consent or legal basis. The GDPR designates six legal basis that must be applied to the collection of an individual’s personal data. These are:

  • Consent
  • Contract
  • Legal Obligation
  • Vital interests
  • Public Task
  • Legitimate Interests

The GDPR also provides individuals with certain rights regarding their personal data.  Those rights are:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision-making and profiling

The GDPR’s requirements for privacy policies builds upon the existing Data Protection Act of 1998 (DPA).  Specifically, it explains how the DPA applies to the collection and use of personal data online.  It addresses the use of cookies and requires the inclusion of the individuals’ rights listed above.

One of the most important protections that the GDPR provides is the right of EU citizens to opt out of receiving marketing materials from the organizations whose websites they visit.  Often, organizations would require website visitors to check or the organization would precheck boxes “requesting” marketing materials.  Sometimes, the user would be unable to continue their intention, for example registering for a webinar, without agreeing to accept marketing.  According to the GDPR, organizations are not allowed to use any personal information to send marketing materials unless they can meet the legal basis of legitimate interest. For example, organizations have legal basis to send marketing materials to current clients.  Legal basis is not a requirement for sending  marketing materials to citizens of countries other than those of the EU.

Data privacy is a major concern for everyone, especially those who use the internet.  Almost every day, we hear of yet another instance where organizations have had data breaches that affected millions of customers’ private data.  For citizens of the EU, the GDPR regulates data protection; however, ultimately, we are all responsible for managing and protecting our personal information, especially when we provide it to organizations through their websites.