In 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect, establishing seven principles that should govern the collection of personal information. These principles are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Websites that are operated solely in the United States or other countries not covered by the GDPR may include a statement warning users that the site is intended only for residents of certain countries. Even if a company is willing to ignore 500 million potential customers however, there is no guarantee that such a warning would be sufficient to avoid possible penalties if the company knowingly collects information about users in EU countries.
Furthermore, while the United States does not currently have a federal GDPR equivalent, several states have enacted their own data protection laws, and new laws are on the horizon. The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020, for many businesses and will require disclosure of any personal information being collected about a California resident. Data subjects residing in California must also be given the opportunity to refuse to allow such collection if the business is subject to the CCPA. Unless a business is willing to eliminate residents of California as well as residents of the EU from their customer base, website operators should be learning how to comply with both the GDPR, CCPA, and other similar legislation that may follow.
Cookies often collect aggregate information about their users that is not specifically identified with one individual, but if that information, combined with other data, such as a user’s IP address or device information, can be used to identify an individual, it becomes “personal information” for the purposes of the GDPR and must be treated as such. Although cookies are not mentioned specifically in the Data Protection Directive and only once in the GDPR, both regulations protect all information gathered about EU residents, including information gathered automatically using cookies or other technologies.
The clearest and most effective way to notify a user in advance of the collection of information using cookies is to provide a web banner or “pop-up” cookie notice that appears automatically when the home page is accessed for the first time. According to the I.C.O. guidelines, a cookie notice that requires some affirmative action, such as closing a web banner or clicking a consent button, will provide the required notice and ability to consent. An implied consent notification may also be sufficient if the user is notified of his implied consent before any cookies are placed on his device.
Consequences of Not Complying With Data Protection & Cookie LawsThe GDPR authorizes supervisory authorities to impose various penalties, including:
- Issuing a warning
- Ordering a temporary or permanent ban on data processing of EU residents
- Ordering the processor to erase data processed in violation of the law
- Banning the transfer of data to certain countries
- Imposing significant fines
How To Comply With Data Protection & Cookie LawsCrafting a cookie notice that complies with not only the GDPR, but also with the data protection laws of individual EU and non-EU countries is a nearly impossible task. Fortunately, ready-made cookie disclosures are available. Osano Consent Manager for example, is designed to comply with the GDPR, current U.S. state data protection laws, including the upcoming CCPA.