Article by DataGRC Ltd. 13th August 2018.
Forget orange being the new black.
Data Protection Cookie pop-ups are the new fashion statement for websites.
Do you go big and bold? Proudly stating your Cookie usage to all visitors?
Do you adopt a more discrete "we're here if you need us" approach?
There's so much pressure for a little pop-up, which the vast majority of people won't even care about, won't want to see, and won't click on!
We were glad to hear directly from the ICO today, that they are revising their guidance. Unsurprisingly, they are unable to provide advice on law that has yet to be passed (ePrivacy Regulations - we can't wait), but they do highlight that existing guidance is still available on their website.
Some of the new Cookie styles are a result of the GDPR Consent requirements to be "active, detailed and granular".
PECR 2003 (UK's underlying legislation for Cookies) and its five amendments ironically don't specifically mention "Cookies". This is reminiscent of Facebook's attempts to have their "£180k fine per day" case thrown out of court in Belgium, based on Cookie not being a real word in French, Dutch or German. International Scrabble players watched with interest!
PECR does speak about the use of "electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber". Of course this also has interesting implications for mobile apps, which weren't really prevalent in 2003, in addition to "Cookies". The PECR obligation for "consent" doesn't appear until the 2011 (2108) amendment. Historic guidance suggests this was more intended as GDPR "Legitimate Interest" than GDPR grade "Consent", based on documentation and live case studies. We wait to see whether there is a backtracking in PECR, away from that GDPR grade consent, or whether those in power will decide that the risk that Cookies create for our privacy rights really is that great. Immediate feedback from our nearest and dearest suggests there is greater frustration from pop-ups everywhere, than having usage data stored, with the exception of sites where sensitive data is processed.
Either way, it certainly makes a change for PECR conversations to be about something other than unsolicited direct marketing!
You may also like to consider our general rule of thumb, that if you're doing something that's equivalent to what the ICO does, you can't be too far out...
Post the URL link for this article on social media for a free thumbs up!
The information provided above is general rantings of a well-experienced data protection and information security consultant. In no way should this information be treated as advice. Any action taken as a result of reading this article is at the reader's own risk. DataGRC will not be liable for any damages or harm caused. No Cookie Monsters were harmed in the making of this article.
That said, DataGRC advisors can help with your specific scenarios. Please contact us to discuss your assessment, training and remediation requirements.
Got any comments about this article, or want to discuss your data protection and information security challenges? Contact us now:
Articles made publicly available on this website are general information, and should never be mistaken for formal or legal advice. If you are seeking formal advice for your specific requirements, please contact our advisory team using the form above.