GDPR, Consent And You
You have likely have noticed (unless you have been on another planet over the past year) is that the General Data Protection Regulation came into force in May this year. This is a European Union regulation that affects anyone who handles any information about anyone within the European Union. This makes it a fairly wide-ranging law as it doesn’t matter whether you or your site are in the EU, only where the person visiting your site or using your service is based.
One of the big aspects of GDPR is the idea of consent when related to the collection and use of personal data. This is very important and relates to almost every website and service. Even if you think that you don’t deal with personal data, you may still find that this law becomes relevant to you.
Personal Data
GDPR takes a very simple view on what personal data is, namely: “any information relating to an identified or identifiable natural person.” This is quite broad, and they go on to further clarify that IP addresses, cookie identifiers and other identifiers used with online services that could be combined with other data to identify a person should be considered as personal data. As almost any website that is more than flat HTML files uses cookies to help identify users, this means that there’s a strong chance that these GDPR restrictions apply to you.
Cookies
In the past, cookies were just silently used on websites without any information given to the users about their use or even existence. The EU passed regulations in 2012 that meant that all websites that use cookies to identify and track their users for purposes that weren’t essential for the use of the website should inform the users about cookies in use and gain consent. This meant that websites often popped up messages asking users to click “Ok” to consent to the use of cookies, or informed users that their repeated use of the site would constitute consent to using the cookies.
With GDPR, the EU has taken these rules and strengthened them. Now it insists that the user must explicitly consent and that you shouldn’t use the cookies without that consent. It’s now no longer permissible to imply consent from a user by their continued use of a site after a warning. They need to click a link or a button that confirms their consent or something similar that can clearly be recorded as consent. In addition to not allowing implied consent, it also makes clear that a lack of consent should not be detrimental to a user using the site or service. This is a big one as it means that forcing users to consent to the use of the cookies in order to use the site could be seen as not giving the user freedom to consent, and thus the consent is not valid.
As well as obtaining clear consent to the use of cookies, GDPR also states that the user must be aware of everything they are consenting to. So everything that you are using the cookies for should be explicitly outlined in the statement that the user reads when they are providing their consent to their use. Again, this is a huge shift from the previous rules where you could get away with simply stating that cookies were in use with little explanation as to why.
Consent
Finally, a user should now be able to withdraw their consent to having their information used which should be as simple to withdraw as to give. When the user consents they should be informed about their ability to later withdraw the consent. They should also be able to request that all information relating to them be deleted and no longer used.
At present, this is something that a lot of people are still trying to get right, months after GDPR came into force. The main points to keep in mind when you next revamp your site is to think of how you use cookies, how you can explain them to your users, and how to ensure that they clearly consent to their use. This should help you stay on the safe side of the rules.