Website transparency : Cookies and privacy notice
by Tara Taubman-Bassirian LLM
Much has been said and complained about data protection regulations. Lots of criticism, its cost, resources consumption, business killer and what else?
What’s been forgotten is that the General Data Protection Regulation (GDPR) is not against data processing when done in respect with the data subject rights. The increasingly high amount of electronically available data and curation combined with easy storage tools, justify a better protection. Privacy is a Fundamental Human Right, for dignity and freedom.
The prevacy equation is simple : Privacy = Transparency + Control
A balance of rights and freedom of data subjects with respect to the interest of the business.
Before the GDPR, data protection directive compliance lacked uniformity and required certainty throughout the EU. The new Regulation is based on harmonisation and the European Data Protection Board (EDPB) is the authority in charge of the consistency mechanism – Article 63 – to make sure the regulation and its enforcement are harmoniously applied throughout national Data Protection Authorities (DPAs).
One of the more pro-active DPAs has been the French Commission Nationale de l’Informatique et des Libertes (CNIL) producing many guidelines in both French and English, including a very useful Privacy Impact Assessment (PIA) tool. We could therefore presume French companies have benefited from all necessary guidances to comply after two years period of preparation and 6 months after the GDPR entered into effect.
In two previous article, we wrote about the CNIL’s report after 6 months of activities and some of their main cases. While The UK ICO has been more focusing on fining nuisance calls and clarifying data subject’s access after investigating Facebook Analytica case, The French CNIL focus has been :
- clarifying criteria of consent in four cases of Mobile App data collection,
- clarifying CCTV monitoring and biometrics in work place
- clarifying cookie compliance.
What are cookies?
Better than me, KJ Kearie has a Comprehensive Guide on cookies, I recommend you read.
“A cookie is a tiny bit of plain text that a website downloads to a computer when that user’s browser opens a new webpage. They are used to remember useful pieces of data from the users they encounter, acting as aninvisible liaison between a domain’s owner and visitors.
A cookie can identify both the user and the browser, and can be left on the user’s device indefinitely. When the user’s browser returns to that website, the cookie connects with the domain and shares with it the data it has collected or stored about that user.
In terms of functionality, some cookies aim to a better browsing experience such as remembering the language of their visitor, others, more pernicious, track the users habits, profiling users for targeted advertising. Data collected has fuelled a huge business of data brokage raising privacy and security concerns. In November, Privacy International, the UK based organisation, has filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.
If you think online tracking and profiling are legitimate? Watch this video it’s eloquent.
Online, customers deserve the same privacy as offline.
Cookie law, known as the ePrivacy Directive, has long been misunderstood. It is not a useless banner asking you to confirm you agree for your personal data to be collected in order to access the website. Just in case, you have forgotten, an IP address or any identifiable information is considered a personal data.
What are website owners duties exactly ?
To provide clear transparency to inform their visitors about the personal data they collect, how long it is kept, with whom they share the data and data subjects rights of access, right to delete, amend or the right of portability. These informations should be provided at the time of data collection, made accessible on each webpage, in clear language. The WP art 29 requires that
- it must be concise, transparent, intelligible and easily accessible (Article 12.1);
- clear and plain language must be used (Article 12.1);
- the requirement for clear and plain language is of particular importance when
- providing information to children (Article 12.1);
- it must be in writing “or by other means, including where appropriate, by electronic
- means” (Article 12.1);
- where requested by the data subject it may be provided orally (Article 12.1) ; and
- it must be provided free of charge (Article 12.5).
In short, a privacy notice is required to provide “Concise, transparent, intelligible and easily accessible” information about the data collected from visitors.
Alined with the WP guidance, the French DPA CNIL has required clear information for visitors, and for non exclusively technical cookies, consent is required. AND – that is very important – opting out of cookie tracking should not be detrimental to the use of the service. This goes with the clear position of the Working Party Art 29, replaced by the EDPB. For more on Privacy by Design, you might want to follow Ann Cavoukian, Leading the Privacy by Design Centre of Excellence at Ryerson University.
So, remember, privacy = transparency + control. that means an obligation to tell visitors what is collected, with whom is shared, users rights and clear opt out.
Despite all clear guidance, too many websites are non compliant.
You’d expect lawyers would have it right, for being well aware of the regulation. The French association of lawyers, the CNB, has done a good job informing their members by producing ample guidance to follow.
Additionally law firms handle sensitive data of clients. They are bound by a confidentiality obligation. They should be the ones showing the good example. Recently, looking at few websites from some of the top law firms in Paris, It is outraging to see they are mostly ignoring their obligations. Lack of information about cookies, no privacy notice or insufficient information. Too many collecting personal data are even tagged as ‘Not Secure’ by Google Chrome web browser lacking encryption. [This is when the lock does not show next to the URL ‘http’ instead of https. unencrypted transmission means that data can be intercepted.] Some of the websites I visited have visitors contact forms or candidates applications online with CV upload.
When the issue was pointed out, two of the law firms amended their website’s security certification to https. One specialised DPO did not considered a cookie banner or more comprehensive privacy notice was needed. It is painful to see members of the law society or big law firms could have so little consideration for privacy and data protection of clients and web visitors. Too many exchange documents via un-encrypted email attachments. These big law firms have opulent clients around the world including outside the EU. How do they comply with data flow regulation to countries of non adequate data protection, not just China, that includes the USA as well. We have brought the CNIL’s attention to this issue. Knowing that a website is the vitrine of a business, does it not worth the effort to be compliant and respectful of visitors’ personal data?
Data breach has been on everyday news. Have you heard of Marriott hotels breach gone undetected for four years? Air Canada, British Airways, Cathay Pacific, Yahoo, Equifax,,…. and many more. Fines will not give back data subjects’ hassle when dealing with ID theft or financial misuse.
It’s not anymore IF but WHEN.
Any data collection creates data breach risk.
I invite you to read Memory, Forgetfulness and Delete because Privacy matters to us all,
and from Alexander Hanff : “Your consent notice should provide a list of all of these assets (unless covered by the “strictly necessary” exception) and provide the option for the data to refuse the loading of any or all of these assets.
Further read : Law Firm Internet Security and Data Protection
Follow ongoing Pearltrees curation
UPDATE : Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration.
“The Bavarian DPA audited 40 “large websites”. The companies audited were from the following industries:
(a) Online retail ; (b) Sports; (c) Banking & insurance; (d) Media; (e) Automotive & electronics; (f) Home and residential; and (g) Other.
• The sweep revealed that all 40 websites had integrated cookies or other “tracking tools”. While the Bavarian DPA leaves the term “tracking tools” largely undefined, it indicates they are provided by third parties and result in data being sent to these third party providers, such as pixels, beacons, or the like.
The Bavarian DPA found that none of the 40 websites’ cookie practices were GDPR-compliant. It found the following violations:
- Websites lacked the transparency needed for “informed” cookie consent.
- No “prior” consent was collected from users.
- The consent obtained was not sufficiently “active”.
The Bavarian DPA announced it was considering GDPR fines for the website operators.”
Following the French regulator, CNIL “Online targeted advertisement: what action plan for the CNIL_en ?” here.
The CNIL tweeted : “The legal framework relating to consent has evolved, and so does the website of the CNIL. On http://cnil.fr , no more tracking devices are deposited, as long as the user has not given his active consent” with the following link.
- This work is licensed under a Creative Commons Attribution 4.0 International License.