How to comply with the EU ePrivacy directive's cookie laws by October
We recently talked to our Head of Strategy about the October deadline for cookie compliance but, what needs to be done by then?
The key requirements are described in the Article 5(3) ePrivacy Directive and state as follows:
Organisations should provide such individuals with comprehensive information (in accordance with Directive 95/46/EC) including but not limited to:
- Identity of the organisation and its representative, if any;
- Purpose of processing for which the data is intended;
- Additional details such as the recipients or categories of recipients of the data, whether provision of requested data is obligatory or voluntary, and the consequences of failure to respond to the request, existence of the individual's rights to access, correction, amendment, and/or deletion etc.
Organisations should provide individuals with a means to consent to and/or object to such processing.
Understanding the requirements
The legislation and updated guidance from the DPC is designed to protect all internet users. Think about what you would like to know and be in control of with respect to your data? Putting users’ and data privacy first, Data Protection Commissioner aims to ensure that organizations are complying with the law and, are providing users with the information they need, and are giving them control over the collection of their data.
Now, if you are a business and want to collect and use your website users’ information, you need to:
- Inform your users about who is collecting the data.
- Ask the person for permission to collect their data in a clear, direct and easy to access manner.
- Enable the person an option to give, withhold, or withdraw their consent should they change their mind for each cookie (reason to use their information).
- Explain to the person you are asking the consent from, what data will be collected, why do you want to collect the data, and how is it going to be used by your business.
- Lastly, if you are collecting and storing personal information, you need to ensure its safety and imply the GDPR.
Translating the requirements into practice
Now, when it all makes sense, let’s take the DPC guidelines one step further, and try to understand what measures you must put in place before October 5th. We have outlined the main 8:
- Consent must be acquired for all non-essential Cookies. Websites must not be designed to favour acceptance over non-acceptance.
- Cookie information must be user-friendly. Legal jargon and redirecting to general terms and conditions should be avoided.
- User interfaces should be developed so that users can change their preferences at any time.
- Retention periods appropriate to the purpose for which the Cookie is used should be set and enforced.
- These rules apply to all data, not just personal data. However, where the data is personal, the GDPR applies.
- Cookie walls are banned i.e. preventing a user from accessing a website if they do not accept cookies.
- Cookie and privacy policies should be accessible and updated. The ability to read these policies must not be obscured by Cookie banners.
- Joint-controller arrangement should be considered where data is shared with third parties using these technologies.
We are currently working with our partner OneTrust – number 1 most widely used platform to operationalize privacy, security and governance, to make sure all our clients are compliant and ready for the October check-in point.
If you would our help or advice getting ready contact us today.
Watch the recording of our joint webinar with OneTrust and download the deck here.