GDPR impact on Web Privacy
The World Economic Forum values the global data economy at USD 3 trillion. According to the European Commission, in 2020 the value of personalised data in EU is 1 trillion euros, almost 8% of the EU’s GDP.
The growth of this sector has been escalated by the increasing collection, cross-referencing, and resale of personal data such as person's interests, locations, income, relationship status, gender, age, education, etc. And so there will be increasingly growing conflict between the value of data and person privacy and consent.
Advertising technology companies (Ad Tech) usually tries to place trackers on as many websites as possible to optimise data collection. Typically, tracking companies are also perform cookie syncing, which allows them to swap their unique identifier with other Ad Tech companies, so that the data they hold on users can be combined and cross-referenced. One does not need special knowledge to understand what consequences could be observed if combined would be such valuable information as user's location and real names.
The General Data Protection Regulation (GDPR) led to changes on a lot of websites with respect to privacy policies and cookie consent. Duty to introduce certain requirements resulted differently throughout the member states, and Baltic states as well - according to Horst Görtz Institute for IT Security and the Institute for Applied Work Science research*, which analysed the privacy policies of the 500 most-frequented websites in each EU member state between January and June 2018, approximately 74 per cent of the analysed websites did not have their respective privacy policies amended until shortly before 25 May 2018.
One of the most noteworthy results relates to the placement of cookie notices that inform users about the usage of cookies. After the GDPR came into force, approximately 62 per cent of the analysed websites provided cookie notices – 16 per cent more than in January 2018. As a result, cookie notices became the crucial element that has been on an increase in connection with the requirements of GDPR. Mostly, however, the notices do not meet the requirements, since they do not offer users the necessary options to deactivate cookies and do not inform about all actors to be collecting the information. Thus, it is apparent that consent notices are a tight spot and clear guidelines are required.
Article 29 Working Party (WP29, replaced by the European Data Protection Board) considered media, e-commerce and the public sector to present the greatest data protection and privacy risks to EU citizens. According to the sweep of mentioned sectors, conducted by WP29**, the ratio of first and third party cookies (such as Facebook or Google AdWords) set by such sites is 29,60% to 70.39% accordingly. However, there are still a number of sites which do not provide sufficient notification that third party cookies are being set, do not seek consent from the user, or provide a sufficient quality of cookie information to website visitors. In 70 of 100 cases we do not know who is tracking our experience on webpage, namely - to whom such data is sold. The sweep also identified webpages which set more than 200 (!!) third party cookies and a few cookies with duration periods of up nearly 8000 years (must be an elegant IT humor).
One of the most popular mistakes identified - web pages often starts tracking before user consent for cookie collection is actually received, in some cases banner with a cookie does not appear on a first page. The other popular mistake is implied consent and forced opt-in.
Other serious problem to resolve is a third party cookies such as Google AdWords or Facebook pixels which help to place a cookies on a web page. When a person withdraws provided consent, Ad Tech does cease targeted advertising but does not cease to collect personal data and continues the processing of personal data related to the pixel. Pixels once placed is almost impossible to delete or block when such need arise.
Despite a lot of disorder and confusion, the cookie in GDPR is mentioned only once in Recital 30, which basically says that if a cookie in combination with unique identifiers and other information received by the server can be used to create profiles of natural persons and to identify them, this is to be recognised as a personal data. The European Commission, for its part, has tried to clarify and publish an exhaustive list of cookie types which are exempt from the obligation to obtain the user's consent (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm).
So, where to start?
Tips for setting cookies:
- The cookie header banner shall be displayed on all pages of a site using cookies that require informed consent.
- A link to the specific cookie notice page should also be available.
- Make sure your website does not collect cookies before consent is received.
- Make sure your website stopped cookie collection after user objected.
- Define cookie collection and data processing term taking into account that data shall be kept for no longer than is necessary for the purposes for which the personal data are processed.
- Make sure cookie notice is transparent - inform about all third party cookies.
*Analysis on how the necessary changes have been implemented by enterprises on their websites.
Author: Marina Briškena, DPO