The processing of personal data includes operational information about a natural person, as long as it is possible to identify a specific person from the information obtained and distributed. One of the tools through which personal data can be processed are cookies.
What are cookies? Cookies are small text files that are sent to the user’s computer or mobile device while visiting the website and which the website stores on the user’s computer or mobile device when the user opens the website.
It is important to remember that the service provider, especially using new technologies, must be able not only to ensure, but also to prove to the supervisory authority, if necessary, that the user’s right to personal data protection and privacy is respected.
It should be noted that there are different cookies that are used for different purposes, for example, the website would not work at all without technical cookies, while cookies that are used to analyze the customer’s interests or to keep track of online activities with the created “shopping cart” are already in use with the intention of processing information about an identifiable website visitor – a natural person. These aspects must be observed by businesses who, in order to sell goods and services, use websites to process personal data using cookies.
What are the most common mistakes in the use of cookies?
1. No cookie policy. Taking into account that personal data of website visitors (users) will be processed by obtaining cookies, such as IP address, choices made on the website, etc. then the users must be informed about the processing of their personal data.
Notification can be made through the privacy or data processing policy. It should be noted that the cookie policy must be clearly separated from other processing of personal data reflected in the privacy policy and users must clearly understand what type of cookies and for what purposes are used on the website. Users should also receive information about the possibility to accept or reject cookies in cases where they are processed on the basis of consent. This is how the data controller implements the principle of transparency defined in the General Data Protection Regulation.
2. Inaccurate cookie statement. The business must obtain the user’s consent for the use of all other cookies, except functional or technical cookies, and giving consent must be convenient, simple and understandable for the user. Already in the cookie notification window, the user must clearly indicate that there are cookies for which consent is not required, while confirmation of other cookies is optional.
3, Too much trust in website developers. While it is possible to purchase custom or ready-made website templates or stand-alone tools, it is not advisable to rely entirely on features implemented by developers. Even when buying a ready-made service, the buyer must make sure that the functions and documentation included in it meet the requirements of data protection and other regulatory acts.
Taking into account the specifics of the business activity, as well as the purposes for which cookies are used, it may be necessary to carry out an Impact Assessment on data protection before using cookies. We would also like to remind you that business, if they have doubts about the compliance of the processing carried out, can consult their data protection specialist/officer.
Bad examples of cookie notifications:
- There is no possibility to agree
- Consent has already been noted
- Not all cookies are disclosed
- There is no indication of where to look for further information
Elements of an appropriate cookie notice:
- Brief information on the main cookies used
- Possibility to continue using the website using only functional cookies
- An explanation of the nature of consent is given
- A link is provided to read more about the cookies used on the website
Can I not ask for consent to the use of cookies?
Consent is not required only for technical cookies, without which the operational website will not work/do not work. The other cookies, which, for example, analyze the user’s interests, the length of stay on a specific link, save the filled “shopping cart” even if the user has already left the website, can only be used with the user’s freely given consent.
If the user has given consent by marking it in the cookie notification, the user must be able to withdraw this consent in a convenient way. The merchant can specify the procedure for withdrawing consent, for example, in a separate paragraph of the cookie policy.
What would a recommended cookie notice look like?
A suggested cookie statement might look like this:
For users, taking care of their personal data processing, the more carefully and responsibly the organizations treat users’ personal data, the more trust it will create in the relationship between the user and the business. Similarly, by regularly reviewing personal data processing, data security and cookie policies, there will be less chance of various incidents – data leaks, customer complaints or website functioning in an unexpected way.