Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now
Free Trial Schedule a Demo

Blogs

The Ultimate Guide to Cookie Laws & Regulations

Published on July 12, 2021 AUTHOR - PRIVACY RESEARCH TEAM

On every website you ever visit, you probably have had to accept or decline certain cookies via a cookie notice or banner. Some of those cookies are there to track your browsing activities and can be traced back to your browser. They are also storing your data which can be seen as a threat if not secured properly. Global privacy regulations are coming up with rules for organizations to abide by when collecting personal data via cookies and processing these cookies for various purposes.

The Cookie Law Explained

The GDPR focuses on organizations collecting freely given consent from their customers before they store or process any of their personal data, which includes dropping cookies on their website. Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR, and it has to have several pieces in place.

Consent Requirements

Under the GDPR, customers need to be fully informed about the types of cookies that are being stored and why they are being stored before the consumer can give them consent. Under the GDPR, consent needs to be:

  1. Freely-given
  2. Specific
  3. Informed
  4. Unambiguous

Cookie Policy

The GDPR requires organizations to have the following included in their cookie policy:

  • What information is collected
  • What you do with consumer information
  • How you protect consumer information
  • If you disclose any information to third parties
  • How you store consumer information
  • How users may access, migrate, request rectification, restriction or deletion of information

EU Cookie Laws Impact on Businesses

The GDPR and e-Privacy Directive both aim to ensure an appropriate level of confidentiality and security of European Union Residents' data.

The e-Privacy Directive provides a guideline on cookies which is why it was originally known as the “cookie law”. This is not the case with the GDPR as it does not explicitly state any guidelines or requirements based on cookies. The e-Privacy Directive requires organizations to provide comprehensive and easily understandable information with regards to the processing of cookies. These organizations must acquire the informed consent of users before tracking them with cookies. Although the GDPR does not mention cookies specifically, it classifies cookies as an “online identifier,” meaning that it may be considered personal data under certain circumstances.

Read more about EU Cookie Laws

Impact of the EU Guidelines on the U.S.

The E-Privacy Directive does not have a clear extraterritorial scope, which means that if a company does not have any physical presence or operation in the EU, they do not need to comply with the cookie guidelines.

On the other hand, the GDPR has clear extraterritorial scope. It covers the processing of personal data within the EU as well as outside the EU if the organization is offering goods and services to EU data subjects. If an organization's website targets EU consumers in accepting e-commerce payments in Euros as an alternative to U.S. dollars, or if the site's use of cookies amounts to intentionally "monitoring" the behavior of visitors who are in the EU, the GDPR likely applies to the organization.

PII and Cookies

PII (Personally Identifiable Information):

Under Article 9 of the GDPR, sensitive data is defined as the following:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data;
  • data concerning a person’s sex life or sensitive data.

Cookie/online identifiers:

Although the GDPR does not talk about cookies specifically, it does mention “online identifiers under Article 4, recital 30 of the GDPR. The article states:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” 

Penalties Due to Non-Compliance

The EU cookie legislation depends on the government to set specific penalties for noncompliance. Here are some of the penalties an organization can face due to non-compliance:

  1. Regulators can request organizations for information that is stored in the website. This may include:
    1. Types of cookies your site uses
    2. Links to the cookie information section
    3. Identifiers of compliance
  2. Regulators can ask organizations to make changes to help them be more compliant with the EU guidelines. This can be requested or even enforced to be done in a set amount of time.
  3. Depending on the country, the organization can face a monetary fine based on the severity of non-compliance.

Compliance Checklist

There are several ways in which an organization can simplify their compliance practices. Here are a few steps that can be taken in order to make this process easier.

Improve Privacy Policy

The first step towards staying compliant with cookie laws is to understand your privacy policy and revamp it based on guidelines and regulations. The GDPR contains stringent regulations regarding an organization’s privacy policy, how it must be written, what it must contain, and how it must be accessed.

Audit Databases

Organizations will need to audit their databases for opt-in consent. The GDPR is an Opt-In consent regime and it is paramount to obtain explicit consent from an individual before processing their data.

Create an Opt-In Process

For any new contact details, organizations need to ensure a process to gather the required level of opt-in for each new entry. GDPR stipulates that consent from consumers must now be gathered by them actively opting-in, rather than them having to opt-out.

Review Third Party Access

Third-party access can be one of the major threats to compliance because your organization may get penalized for someone else’s negligence. It is important to review what third parties you share data with, how they use it, and what their GDPR policies are.

Streamline DSR Fulfilment

GDPR regulations require organizations to respond to a consumer’s "request for information" within one month at the latest.

How Securiti Can Help?

Organizations are required under law to protect a consumer's data and obtain consent before collecting or storing any of this data. Securiti's PrivacyOps approach enables organizations to fulfill cookie requirements with the help of robotic automation and artificial intelligence. Here is how it can help:

  1. Automatic Scanning:
    In order to manage cookies in an effective manner, the first step is to keep track of all your cookies. Securiti helps track and classify cookies on your digital properties (i.e desktop, mobile websites) through automatic scanning.
  2. Customizable Cookie Banners:
    Securiti offers a cookie banner to capture freely given consent from the consumer. These banners can then be customized to your company’s branding guidelines.
  3. Consent Revocations:
    Under European law, consumers have the right to revoke their consent at any time. Securiti offers a preference center that simplifies the process of revoking consent and honoring the revocation.
  4. Demonstrate Compliance:
    Securiti maintains comprehensive records of consent for compliance reporting and audit trail.

Conclusion

Consumers' data being tracked by third-party entities via cookies can be deemed a privacy threat. Privacy regulations are in place to ensure that this data is handled in a safe and ethical manner, meaning nothing can be processed without the consumer's freely given consent. This will, in turn, protect the consumer's privacy and give organizations a reason to adopt a first-party approach when trying to obtain consumers' data.

Data is growing at an exponential rate, and keeping track of all this data is becoming a virtually impossible task with each passing day.  Automation is necessary, now more than ever, for any organization that is hoping to comply with privacy regulations in a scalable way.

Scan your website and maintain GDPR/CCPA/LGPD compliant cookie consent - FREE

Provide a simple and secure way for your visitors to exercise their right to opt out of the sale of their information to advertisers.

Already a user? Log in

To learn more about how Securiti can help, request a demo.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content

View More

June 21, 2022

The Ultimate Guide to Privacy Impact Assessments for CPRA

When the California Privacy Rights Act (CPRA) comes into effect, replacing the existing California Consumer Privacy Act (CCPA), organizations will have to change their current business practices around personal information handling. One significant change will be Regular Risk...

View More

June 12, 2022

Employer’s Data Obligation Under Thailand’s PDPA

Thailand's Personal Data Protection Act (the "PDPA") is a comprehensive data privacy law that aims to protect the privacy of Thailand’s citizens. The PDPA was said to go into effect on 27 May 2020. However, the PDPA went...

View More

June 3, 2022

Data Subject Rights under California Privacy Rights Act (CPRA)

Data privacy laws have gained increased importance worldwide in the past couple of years. Multiple factors have played a role in this phenomenon, the most important being the necessity to protect users’ data, freedom, and rights to privacy....

 

Products

Solutions

Systems

Newsletter

Users love Securiti on G2

Company

Resources

Terms

Get in touch

[email protected]
PO Box 13039,
Coyote CA 95013

Copyright © 2022 Securiti

Sitemap - XML Sitemap

Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View