Justitia, Lady Justice in front of the European Union flag in the background showing the impact of Europe's new cookie regulations
How Big Companies Should Behave Under Europe’s New Cookie Regulations by Mircea Patachi, CEO and Co-Founder at Clym

How Big Companies Should Behave Under Europe’s New Cookie Regulations

In May 2018, the EU enacted a series of laws – the General Data Protection Regulation (GDPR) – which radically change the way the companies collect and process personal data. The GDPR obliges businesses operating online to handle user data in a much more transparent manner, whilst at the same time granting individuals far greater control over their data.

Under the GDPR, businesses must now be able to show precisely what data they are storing on consumers and also obtain their explicit consent before processing data for any given purpose. Customers also have the right to access, modify and erase personal data upon request, as well as the right to block personal information from being used for any reason not specified at the time of consent.

In recent times, a series of high profile data breaches have heightened public concerns about the security of personal information. From a consumer perspective, the GDPR  represents a giant leap towards ensuring that personal data is not misused or unknowingly sold on to third parties. Customers should thus be the focus of GDPR-compliance, as ensuring transparency in data processing is indispensable for building relationships with clients based on trust.

In 2019, the EU also plans to introduce the ePrivacy Regulation (ePR), which will update and transform the 2002 EU ePrivacy Directive into Europe-wide legally binding regulations on electronic communications, confidentiality and data protection. The ePR will be a compliment to the GDPR in the EU’s effort to ensure uniformity across the bloc’s data protection framework.

Importantly, both the GDPR and ePrivacy Regulation alter regulations of how organisations use cookies. Cookies are small text files used by websites to increase the efficiency of a user’s experience. Essentially, they are are IDs for user devices. On their own they do not gather any data about a particular individual, however the scripts that set cookies do collect personal data on a user’s browsing activity and preferences. This data can be used to identify an individual via a personal device, even if they have not given explicit consent.

Most of the time, cookies are used in this way. Consequently, the majority of consumer information gathered by cookies will fall under the GDPR’s definition of personal data.

Why should companies care?

Adhering to new regulations on cookies is crucial for large companies which handle personal data from thousands or millions of customers. Under the GDPR, for example, failure to guarantee consumer privacy rights or adequately protect personal information could result in a fine of up to €20 million or 4% of annual revenue, depending on which sum is higher.

In practice, that means any large company must be able to provide information on exactly what personal data it has collected using cookies and how that data is shared with third parties. Corporations must also be able to specify the purpose and legal basis for using cookies as a means of collecting data. Moreover, they must be able to produce evidence showing that a user has consented to the use of cookies. This will require companies to provide digital receipts to customers – that is, a proof document that an individual receives each time they give consent to a company to process their personal data using cookies.

This may seem like a lot of work, but companies should not simply view the GDPR and ePR as a laborious set of new rules to adhere to. Rather, in light of recent data breaches which have tarnished the reputation of tech giants such as Facebook, they should seize the opportunity to cultivate a transparent reputation for their organisation. Customers should be the focus, as their personal information is being processed in numerous different ways and by several different organisations. Respecting their rights and adequately protecting their data can vastly improve trust between a company and its customers and allow a business to differentiate itself from any competitor placing less emphasis on data privacy.

Ensuring compliance

To ensure compliance, companies must have adequate mechanisms in place to monitor cookie activity and make sure that personal information collected by cookies is stored and processed in line with the GDPR and ePR.

For instance, they should provide online tools giving visitors the choice of opting in or out of various types of cookies. Under the GDPR, implied consent is not enough and instead customers must actively affirm that they agree to the use of cookies. That means that companies can no longer claim that using its website constitutes consumer consent. Rather, websites must provide accurate information – in plain language – specifying exactly what a company’s cookie policy is. The GDPR also grants users the right to retract their consent and every 12 months corporations must obtain renewed consent from customers to keep using cookies for the same purposes.

In addition, companies should provide consent receipts for cookies. This type of e-document gives customers a clear record of exactly what they have agreed to – i.e. where their data is stored, who is using it, what they are using it for and over what period of time. In 2017, the Kantara Initiative released the first open, global consent receipt – compliant with GDPR – which provides a common standard digital format for recording what consumers have consented to and allow individuals to track consent. Such consent receipts greatly reduce the opaque nature with which personal data was handled prior to the GDPR, whilst providing companies with clear evidence of what information a customer has said can be processed.

Summing up

The global shift towards greater data protection is changing the way companies handle data. To adapt to stricter regulations, any major corporation must comprehensively map what user data they collect and review how they use cookies. Organisations which fail to adhere to new legal norms will not only face hefty fines, but also a strained relationship with the customer base they rely on for income.

Valuing customers and respecting their rights is crucial to navigating this new legal landscape. Putting into place robust security solutions to is a necessary step for any company seeking to promote a reputation as a transparent company and get a step ahead of their competitors in the realm of data privacy.