Ever wondered why relevant advertisement appears on your social media page? Well, cookies (not the kind that we all like!) are small text files that a website will put on your browsing history whilst you are viewing that website. However, these cookies can sometimes store enough data about a person to enable that person to be identified, unknown to that person and without their consent. Due to the amount of personal data cookies can contain, they are considered to be personal data and therefore fall under the remit of the General Data Protection Regulations (GDPR).
There are three different ways of categorising cookies; by the duration the cookie is stored, whether a cookie is a first party of third party cookie and the purpose of the cookie. When it comes to data privacy, it is the cookies that are the most cause for concern are:
- persistent (that remain on your hard drive until they are deleted or expire);
- used for marketing purposes; and
- third party cookies.
According to the ePrivacy Directive, cookies should not last longer than 12 months but there is a risk that they could remain on your device for longer if they are not deleted. Marketing cookies track online activity to help advertisers deliver more relevant advertising. However, they can also share that information with other organisations or advertisers. Third party cookies are placed on your electronic device by advertisers or analytics, and not be the website you are visiting.
Despite the importance of cookies, especially in relation to the information they potentially hold, the regulations governing cookies are split between the GDPR and the ePrivacy Directive. Cookies are only mentioned once in the GDPR; to confirm that, as far as cookies are used to identify a person or user, they qualify as personal data and therefore come under the GDPR.
The ePrivacy Directive, also known as the ‘cookie law’, addresses the confidentiality and tracking of internet users more broadly than the GDPR. However, in order to comply with both the GDPR and the ePrivacy Directive, the user’s consent must be obtained before any cookie can be used, except in strictly necessary circumstances. The user’s consent must also be stored and it must be clear what information each cookie tracks and its purpose before consent is obtained. Users must also be allowed to continue to use a service even if they refuse certain cookies and it must also be made easy for any user to withdraw their consent.
The ePrivacy Direction is due to be replaced by the ePrivacy Regulation. This was due to be passed when the GDPR came into force in 2018. However, as the draft legislation could not be agreed by the member states, the Regulation has not been implemented. The intention of the ePrivacy Direction is to build upon the Directive and expand its definitions. The Regulation also promises to treat browser fingerprinting similar to cookies, create robust protections for metadata, and take into account new methods of communication, like WhatsApp. However, it may be some time before the Regulation is implemented and in any event, it is likely that there will be a 24-month transition period once the Regulation comes into force.
What this blog is attempting to do is to outline the implication of pressing ‘accept’ or ‘I agree’ to a request from a website in relation to cookie storage. That cookie will then be used by the company to store potentially a lot of personal information about you and in most cases, unbeknown to you for a significant period of time.