A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
January 28, 2020
Security, privacy, and related topics have been all over the news in recent months and years. Much of this is due to the roll-out of the General Data Protection Regulation (GDPR) in 2018, the set of legal rules regarding the way personal data must be handled from the E.U.
Cookies are also a popular topic once again. However, there seems to be a lot of misinformation about how cookies relate to the GDPR and what your responsibilities are as a website owner when it comes to consent and security. When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been replaced by the GDPR, which in fact, has not. Instead, you can think of the ePrivacy Directive and GDPR as working in harmony with each other, but in the case of cookies, the ePrivacy generally takes precedence.
The ePrivacy Directive, commonly known as the Cookie Law, came into effect in the E.U. in 2002. It has been amended a few times but has remained largely the same and covers electronic privacy as it relates to website cookies.
Mention “cookies” and most people expect a chocolate chip treat to appear. When it comes to computers, however, cookies aren’t on the dropdown menu. In fact, they’re not even physical objects. And while they do a great deal of the work that makes it more convenient for you to browse the Internet, they can be troublesome if you don’t know how to clear or delete cookies.
Different types of cookies keep track of different activities. Session cookies are used only when a person is actively navigating a website; once you leave the site, the session cookie disappears. Tracking cookies may be used to create long-term records of multiple visits to the same site. Authentication cookies track whether a user is logged in, and if so, under what name. No matter the type of cookie, the Cookie Law now regulates how they can be used.
At the same time, users must also be given the option to refuse consent. This doesn’t mean you have to provide them with a way to turn cookies off directly through your site. In fact, in most cases, the built-in cookie-blocking settings in major browsers are considered a valid method of withdrawing consent. Most importantly, you have to make sure that no installation or data collection is performed before the user has a chance to provide consent or refuse it.
You don’t need to keep active records of each user’s consent. This is a common area of confusion since consent records are often required under the GDPR. Now, this could change over time, and in the U.S. many states are creating their own privacy laws, and at any one time you should be ready with a consent manager to still prove a cookie was dropped. So we are not advocating you just forget about consents and tracking. We are just merely saying that if you get a request to prove today, you don't necessarily have to show a log, but show a process did occur in obtaining a consent.
When it comes to the Cookie Law and consent, you must simply be able to provide proof of consent if the need arises. The best way to do this is to use a cookie management solution like Osano that automatically blocks cookie scripts until consent is obtained. Therefore, if you ever need to prove consent, the fact that cookie scripts were installed in the first place is sufficient evidence that a consenting action took place.
Imagine that the ability to run cookies is like entering your office. The cookie management solution is the door to your office, and the cookie consent is the act of opening the door handle. In this analogy, you can only enter the office through the door if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the office it can only be because the door handle was rotated and, therefore, your presence in your office is sufficient proof of this fact.
Showing a cookie banner at the user’s first visit the notice must:
While GDPR is certainly important, it isn’t the only regulation you need to know about to protect your organization. The Cookie Law and the changes to the ePrivacy Regulation remain active and enforceable. Understanding these laws’ requirements are vital for protecting your interests by ensuring you don’t violate the laws and you are providing a secure and trustworthy service to all of your users. Recognizing what you don’t need to do is just as important as knowing what’s required of you. There’s a lot of misinformation floating around. Osano can help clarify your responsibilities and save you significant time and effort.
Dennis is the Chief Privacy Officer for Osano. He is a Certified Information Privacy Professional (CIPP/E CIPP/US FIP). Previously he was Return Path’s Chief Privacy and Security Officer. Prior to Return Path, he was Eloqua’s Chief Privacy and Security Officer. Dennis serves on the US Data Privacy and Integrity Committee for the Department of Homeland Security and is an advisory board member for the IAPP.