Content Hub

Content Hub

GDPR, PECD and Cookies – Who Is Right?

bailey

18-04-18
Possibly and unfortunately, technology tracking and profiling user information is not on a company’s highest of concerns in their struggle to comply with EU GDPR; however, this matter should not be underestimated by any company.

The discussion of cookies, pixel tags, web beacons and the likes fall under GDPR or PECD or both is ravaging and is worth putting some stakes on the ground.

Here is what I’ve learned on this matter summarized in four points, which may help to bring some clarity to the subject.

1) Regulations, Directives

EU GDPR is a “regulation” and PECD (also called “e-privacy directive” or “cookie law”) is a “directive”.

Regulations supersede directives with binding legal force throughout every EU Member State and enter into force on a set date in all the Member States. Directives, instead, lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.

2) Consent

First and foremost the GDPR supersedes PECD as PECD does not provide any definition of consent while GDPR does it very precisely (consent must be unambiguous, a clear affirmative act, silence is not consent…)

Current cookie banners on website are constructs stemming from PECD interpretation and are a form of “implied consent”, therefore they are not GDPR compliant. This is because cookies are already “dropped” on user devices despite lack of opt-in consent option and PII is captured immediately. Company domains should make provision for new cookie banners containing GDPR relevant information about tracking technologies (who, what, why and where PII (Personal Identifiable Information) could end up to, allowing to block the ones without consent. Any cookies that are not strictly necessary for website functionality (in this case they may fall into GDPR legitimate interest) requires consent and therefore such consent should be recorded.

According to GDPR, tracking technology should be dropped on a user device after explicit consent and not before; this is not common practice yet.

3) Time

Given the complexity of the EU legislative process, It is unlikely that PECD will become PECR (from directive to regulation) in less than a year from GDPR enforcement (25 May 2018).

It is also highly possible that PECR will be aligned to GDPR: clearly there is scope for solutions allowing consent opt-in and consent retrieval on tracking technologies by users across all devices platforms.

4) Third parties

Domain owners should audit all tracking technologies on their websites, including third parties ones that expose to the risk of further passing PII over to unknown parties: this is against GDPR regulation. It is therefore important to be able to identify and block any cookie/ tracking technology that can tag and pass PIIs further down the line before clear opt-in consent is given

By the time cookies are being dropped on a domain and even before they are blocked, they often have already released a number of tags; there are several cases where such tags are being piggy-backed by malicious parties to inject malware into IT systems!

Technology is required to process, capture and monitor also any currently unknown future addition of tracking technologies to a domain and to inform about their who, what, why and where: this information is necessary to be compliant and to proof ICO that reasonable effort to be compliant is being made in case of security breaches.

Finally over and above GDPR compliance legal risk, let us not forget that there are also reputation and operational risks related to ignoring the presence of third parties tracking technologies that can bring to loss or damage of sensitive data, revenue, and expose a company to unfair competition!