In May 2018, the EU enacted a series of laws – the General Data Protection Regulation (GDPR) – which radically change the way the companies collect and process personal data. The GDPR obliges businesses operating online to handle user data in a much more transparent manner, whilst at the same time granting individuals far greater control over their data.
Under the GDPR, businesses must now be able to show precisely what data they are storing on consumers and also obtain their explicit consent before processing data for any given purpose. Customers also have the right to access, modify and erase personal data upon request, as well as the right to block personal information from being used for any reason not specified at the time of consent.
In recent times, a series of high profile data breaches have heightened public concerns about the security of personal information. From a consumer perspective, the GDPR represents a giant leap towards ensuring that personal data is not misused or unknowingly sold on to third parties. Customers should thus be the focus of GDPR-compliance, as ensuring transparency in data processing is indispensable for building relationships with clients based on trust.
In 2019, the EU also plans to introduce the ePrivacy Regulation (ePR), which will update and transform the 2002 EU ePrivacy Directive into Europe-wide legally binding regulations on electronic communications, confidentiality and data protection. The ePR will be a compliment to the GDPR in the EU’s effort to ensure uniformity across the bloc’s data protection framework.
Most of the time, cookies are used in this way. Consequently, the majority of consumer information gathered by cookies will fall under the GDPR’s definition of personal data.
Why should companies care?
Adhering to new regulations on cookies is crucial for large companies which handle personal data from thousands or millions of customers. Under the GDPR, for example, failure to guarantee consumer privacy rights or adequately protect personal information could result in a fine of up to €20 million or 4% of annual revenue, depending on which sum is higher.
This may seem like a lot of work, but companies should not simply view the GDPR and ePR as a laborious set of new rules to adhere to. Rather, in light of recent data breaches which have tarnished the reputation of tech giants such as Facebook, they should seize the opportunity to cultivate a transparent reputation for their organisation. Customers should be the focus, as their personal information is being processed in numerous different ways and by several different organisations. Respecting their rights and adequately protecting their data can vastly improve trust between a company and its customers and allow a business to differentiate itself from any competitor placing less emphasis on data privacy.
To ensure compliance, companies must have adequate mechanisms in place to monitor cookie activity and make sure that personal information collected by cookies is stored and processed in line with the GDPR and ePR.
In addition, companies should provide consent receipts for cookies. This type of e-document gives customers a clear record of exactly what they have agreed to – i.e. where their data is stored, who is using it, what they are using it for and over what period of time. In 2017, the Kantara Initiative released the first open, global consent receipt – compliant with GDPR – which provides a common standard digital format for recording what consumers have consented to and allow individuals to track consent. Such consent receipts greatly reduce the opaque nature with which personal data was handled prior to the GDPR, whilst providing companies with clear evidence of what information a customer has said can be processed.
Valuing customers and respecting their rights is crucial to navigating this new legal landscape. Putting into place robust security solutions to is a necessary step for any company seeking to promote a reputation as a transparent company and get a step ahead of their competitors in the realm of data privacy.