Are Cookies Personal Data According to The GDPR? : Image: Supplied
If you’ve recently visited a new website on your computer or phone, you received a notification informing you that the page uses cookies to track your actions and asks if you agree to it. You read the website’s cookie policy to get an idea about what sort of cookies they run, why they track your activity, and where they send data. If you allow the cookies, the web server sends you the cookies, and the browser stores them; the browser returns the cookies the next time the page is referenced. Although cookies aren’t harmful, cybercriminals can steal them and use the information to impersonate you.
The General Data Protection Regulation (GDPR) protects individuals and the information by which they can be identified, directly or indirectly, applying very strict rules for processing data based on consent. Examples of personal data include first and last names, phone numbers, email addresses, vehicle registration plate numbers, social media profiles ID/links, etc. Since cookies can store a wealth of data, they can be considered personal data in certain circumstances, meaning they’re subject to the GDPR. A good example is represented by cookies used to authenticate client requests and maintain session information, which involve the processing of personal data. Website operators need a legal basis to deploy certain types of web technologies.
Attention must be paid to the fact that not all cookies can be classified as personal data. For example, cookies that remember the language selection of the user don’t allow for any conclusions about their identity. If cookies don’t process personal data that can be used to identify or single out a person directly or indirectly, they don’t fall under the jurisdiction of the GDPR, so it’s not necessary to apply data privacy guidelines to the use of cookies. The use of these cookies could leave traces that could be used to create profiles of individuals if they’re linked to unique identifiers, so the processing must comply with the GDPR.
The Privacy and Electronic Communications Regulations (PECR) sits alongside the GDPR and imposes specific rules on privacy rights relating to electronic communications. It’s forbidden to send marketing communications without prior permission from the recipients, so it’s a good practice for businesses to keep a list of people who object and refrain from conveying promotional messages. Equally, it’s no longer possible to make the provision of a service dependent on the data subject’s consent. Where the PECR rules apply, they’re regarded as more important than the GDPR, so website operators setting cookies must take into account PECR compliance and then look to the GDPR.
The more targeted cookies become, the more invasive they are. As a matter of fact, cookies can be so invasive that antivirus programs label them as spyware. Websites place cookies on individuals’ devices without obtaining their consent to gather more data and serve more targeted ads. It’s necessary to display a cookie banner upon the user’s first visit, implement a cookie policy, and allow the user to provide consent. Continued scrolling or browsing can’t be considered valid consent. The risks aren’t limited to the business, which can incur a fine for failing to comply with the data protection rules; website visitors are at risk as well.
Cookies are simple text files stored on your device by your web browser. They can’t infect your computer or phone with viruses or other malware, but depending on how they’re used and exposed, they can turn out to be a real security risk. For instance, capturing authentication cookies over insecure channels allows hackers to exploit the situation to steal the credentials to gain illegitimate access. Cookies should only be accessed over secure SSL/TLS channels. Threat actors use the cookies to change passwords and emails associated with other accounts or trick unsuspecting victims into downloading additional malware.
Websites that operate in the UK are covered by the GDPR, so they must include a warning notifying users that they collect personal data for processing and get consent from visitors before they can store cookies on their devices. There are drastic consequences for not complying with the laws. The GDPR enables individuals to claim compensation from an organisation arguing distress due to the unauthorised use of their personal data. Please don’t hesitate to consult https://www.databreachcompensationexpert.co.uk/data-breach-compensation/ for further information. If the processing of personal data isn’t realised in a fair, lawful, and transparent manner, it breaches Article 5 of the GDPR, triggering a data violation.
More often than not, organisations place non-essential cookies on devices automatically without offering clear information about the purposes of the cookies, thinking there’s no need to have a consent capture mechanism on the website. An ever-increasing number of companies are taken to court (or investigated) under cookie consent rules. Any person who has suffered material or non-material damage due to the unlawful processing of personal biometric and geolocation data can receive compensation for the damage sustained. Simply put, the business is liable for damages. Discomfort or feelings of uneasiness don’t entitle data breach victims to compensation, to be clear.
To be compliant with the GDPR, an organisation must consider its use of cookies and have cookie requirements for its website. Even if cookies are continually evolving, it’s essential to inform users the site uses cookies and obtain consent to place cookies in their browsers. These are the minimum requirements, of course. From start-ups and large-scale businesses to universities, everyone needs to comply with the data protection rules. Internet users must have the option to withdraw consent by deleting all the cookies from the domain, meaning they should have easy access to update their preferences.
All things considered, being online can be a frustrating experience. Even if the GDPR requires a Yes/No choice, companies force users to click the “accept” button, thus, violating the law. If your personal data has been involved in a GDPR data breach, compensation may be awarded to you for your losses.
ALSO READ: 7 Challenges Technology Should Lookout for this 2023