Cookies as personal data
The problem of stricter requirements for the use of cookies has been discussed since the entry into force of the European Data Protection Regulation (hereinafter GDPR), as well as the publication of the draft amendments to the ePrivacy Directive (best known as the "Privacy and Electronic Communications Statement"). It is these documents that officially define cookies as personal data and provide for extraterritorial liability, as well as imposing colossal fines on site owners for illegal use of such files. We have already carried outan overview of penalties for violating the basic principles of the GDPR, however none of them included violations related to the handling of cookies. Often, in the absence of judicial practice and real punishments, business representatives have a feeling of security, in other words: "Until the thunder breaks out, the man does not cross himself." But the rumble of thunder has long been heard - one of the largest penalties for violation related to the installation of cookies is a fine of 30,000 euros, which was issued in October 2019 by the Spanish data protection authority of Vueling airline for the inability of the user to refuse to set third-party cookies.
Due to the peculiarities of the profession, when visiting various sites, you involuntarily analyze them for compliance with known regulatory legal acts in the field of personal data protection. As a result of another such analysis, it became clear that, in pursuit of the implementation of the GDPR requirements, many companies are concerned about the issue of "putting things in order" on their web resources. However, due to a lack of understanding of the requirements or lack of desire to "spoil" the user interface of the site, it seems that every second organization incorrectly implements the policy of using cookies on their resources.
Regulations implementing the policy of using cookie -files
From the point of view of GDPR and ePrivacy, the rules for the use of cookies are no different from the rules for processing all other personal data and must be followed if the site uses any cookies that allow you to form a user profile on the network. However, this does not apply to:
- cookies strictly necessary for the correct operation of the site;
- cookies strictly necessary to provide an online service to the user, for example when a user fills out an online form, uses a shopping cart, or authenticates to a site to log into an online service
Back to the rules, their essence is as follows:
- The installation of a cookie should only be carried out with the prior consent of the user.
- , , , , /, .
- cookie, , , , .
- .
- – cookie- , , , .
Major mistakes in the implementation of the cookie policy or how not to do it
Let's look at three examples of incorrect implementation of the cookie policy that are most common among the sites of controllers and processors of personal data.
Example 1. Banner warning that by continuing to use the site, you consent to the use of cookies.
This practice is widespread both among Russian and European web resources. As an example, consider the website of an Italian cosmetics store. According to the cookie policy presented on the website, technical cookies, functional cookies and cookies from third-party marketing campaigns are set to the user.
However, the literal translation of the warning on the banner at the bottom of the page reads: “This site uses technical, analytical and third-party profiling cookies. If you choose "Continue" or access any content on our site without determining your choice, you consent to the use of cookies. To find out more and to refuse consent to the installation of cookies, click here. "
In this case, all the rules mentioned earlier are violated:
- Cookies are installed immediately when the user opens the site.
- Continuing to use the site or clicking the continue button is not a clear confirmation action, since the user is not given a choice and cannot refuse to install a cookie.
- , cookie, cookie.
- cookie , cookie .
- , , , , .
Example 2. Banner with the correct consent form, which does NOT work on all pages of the site.
For example, consider the French version of huppe.com.
The consent banner displayed on the site complies with the rules we are considering, and the data protection manual, to which there is a link in the text, describes the company's cookie policy in sufficient detail. In the Russian version, the consent banner looks like this:
However, if you dig deeper and try to open not the main page of the site, but, for example , it turns out magic.
The magic lies in the fact that the banner, which seems to meet all the requirements, in fact does not work. The installation of cookies other than strictly necessary ones is not blocked until the permissive actions are taken, which means that the site will definitely not be an "excellent student" anymore. In this case, out of 5 rules, we can say that only rules 2 and 3 are observed.
Example 3. Insufficiently transparent policy for the use of cookies
It also happens that a company is concerned about a working mechanism for obtaining consent, but missed an important detail - transparently provided information about the purpose of specific cookies and terms of their storage. This situation unfolds on the site castrol.com.
The site has a consent banner with the option to manage individual cookies.
And, importantly, the locking mechanism works:
Before obtaining consent
After obtaining consent
However, the information on the use of cookies contains too little specifics - neither a list of persons whose third-party cookies are installed by the site, nor the storage periods of at least individual groups of cookies on the site are provided. In such cases, one of the main principles of the GDPR - Transparency of processing, is violated, therefore rule 3 is not met. An example of a completely transparent cookie policy is the policy published on the website of the European Commission.
In addition to the fact that the above examples are indicative of common mistakes in implementing the requirements of European legislation in the field of data protection and confidentiality, they also demonstrate that the work of European regulators forces many Controllers and Processors to worry about compliance issues. And if two years ago on the vast majority of sites the topic of using cookies did not arise at all, now the situation is changing dramatically, which cannot but please users interested in gaining control over their data - after all, from the words of the European Commission for Data Protection, that’s why was developed by the GDPR.
Practice shows that in the current realities, site owners who are controllers or processors have two options:
- ;
- - cookie-, , , .
,