Why cookie consent is not enough for GDPR compliance?
Is GDPR about cookie consent? No. The common misbelief is that compliance on digital properties equals cookie consent. Cookie usage and its related consent acquisition are not governed by the GDPR, but by the ePrivacy Directive.
The requirement of getting consent for cookie usage concerns the storing of information (or the gaining of access to information already stored) in someone’s terminal.
Website cookies are caught, but so are many other bits of data that can be processed. Even though popular, cookies are simply a storage mechanism and they do nothing (unlike the software that uses them). There are also beacons, device fingerprints, tracking pixels, scripts, local storage and a lot more you probably didn’t know of.
It is important to know that for each external resource loaded on a webpage (including a simple font from Google Fonts to make your website prettier) you automatically force the browser to pass information to those third parties’ servers including: IP address of your visitor, currently visited page, browser type, version, device type, operating system, language settings of the browser, plus all the cookies set by that respective domain in the user’s browser. There is nothing wrong with that, as this is how the entire web was constructed. However, according to GDPR some of these data points qualify as personal data and you should make your users aware.
GDPR is not about cookies, but about who set the cookies and what for.
It is all about who processes, what information about the user, for what purpose(s), how and where is the data handled, who can access it, and who benefits of this data being processed.
In most cases your reasons to process data are valid, and users will understand and allow you to do so. But they need to know what’s happening and be asked if they’re OK with that, as some of these types of processing require explicit consent from them.
What you should know is that most of the apps you use for marketing purposes do profiling and automated decision-making (including the very popular Facebook Pixel, Google Ads, machine-learning enabled applications to recommend products, various codes/tags you get from your agency or retargeting services). And these applications don’t solely rely on cookies, but other tracking means and storage mechanisms as well.
EDPS (European Data Protection Supervisor) provides a complex classification of tracking technologies (cookies, device fingerprinting, local storage etc.) and explains that all records containing identifiers, including IP addresses, which can be used to single-out users, are considered as personal data and must be managed and protected as such.
It is also about the companies processing user data and the purpose of each processing operation.
The tracking technologies and applications are just the means to do it. What really matters is the impact that data processing has on individuals. They have the right to know and agree/ object.
That’s why the user has to consent to certain purposes (not cookies!), while being informed on all the processing details (the identity of the controller or joint controllers, processors and recipients, the purpose, data that will be collected and used, the fact that the user has the right to withdraw consent, information regarding the use of data for profiling and automated decisions etc.)
Let’s review a bit:
- Current level of technology is not limited to cookies to track people.
- Know and tell the user who is processing, what data and to what purpose.
- You should not ask consent for cookies, but for processing purposes.
- Ask consent before running those applications on your website.
Avandor Consent is not a cookie consent solution, nor a “cookie-based” one. It focuses on data processing flows, and automatically recognizes what applications are being used on a site and what companies are doing the processing. There’s a lot more about tracking technologies that our specialists can tell you once you start deploying Avandor Consent Manager. Find out more here.