For years now, whenever I search for flights or a hotel on the internet I do a little dance. I do my research. I figure out what flights suit and which hotel I would like to stay in. Then I close my browser, clear out all my cookies and open the browser in incognito mode. Then and only then will I make my bookings.
I feel like a conspiracy theorist, with about 20 different locks on my apartment door that is lined with lead just in case any of what I am afraid is out to get me can come in and get me. But the reality is that these are wise precautions that don’t really take that much time and have saved me significant sums of money along the way. The problem is they take knowledge and patience.
Its time to think about Cookies
Like most Data Protection professionals, my attention has been focused recently on the topic of cookies. What a wild journey that has been! No really, I am serious.
First of all, we decided it was a topic we needed to get on top of for our clients.
Then, the Data Protection Commission released an excellent report – that highlights in detail the various concerns with how cookies are handled and more importantly sets out their expectations around compliance.
And, this week the Spanish Supervisory Authority has issued its first cookie non-compliance fine to twitter for €30,000 giving us all an indication of what to expect when our own Data Protection Commission follows through on its promise to start actively fining for non-compliance in October.
Embarking on the Cookie journey
For those of you who think those annoying cookie banners are a nuisance and what’s wrong with a bit of targeted advertising anyway I say this – the more you learn about cookies the more you realise just how intrusive tracking technologies are.
Getting your cookie management right is more than just an annoying compliance activity. It is actually very important and a measure of respect for your customers.
Let me tell you a story to highlight some of the common problems I have encountered on this exciting rollercoaster cookie journey so far:
Your marketing team runs a short targeting campaign, often to trial a 3rd party marketing service. Years later the cookies that were put in place by the external company that was running that campaign for them are still there, motoring away, collecting lots of data about website visitors and sharing that with the external company.
But your company is no longer benefiting from the campaign of actively looking at the analytics. Nor are your customers or potential customers visiting your website getting any benefit either – just grinding their teeth and getting used to being constantly tracked.
You decide you need to address this and go looking for information. You use linked-in, you-tube, facebook and twitter so you go to their websites to try to find out more information about the third party tracking cookies and web beacons that are an inherent part of these services. Guess what, you will find lots of information about people wanting to choose the content they see and to make “ads more relevant to your audience” or to “improve the user experience”.
Most of the roadblocks you will encounter are due to lack of clear information
However, when you want to get the transparency information you need – detail about what each cookie does, how and when it is dropped on a device and how to manage it – that is much more difficult.
You will get information like “Browser Identifier” and “Used for Routing”. Thanks for the plain English detailed explanation guys!
Then you discover cookiepedia. Its not a first party source but at least if the information is accurate that should be helpful. Cookiepedia claims to offer “All you need to know about cookies”. Delightful and useful too. But some of the most used cookies I have come across are listed with the following information “There is not yet any general information about this cookie based on its name only. If you have any information about this cookie, please get in touch. The main purpose of this cookie is: Unknown”.
I’ve gone directly to source on some of these with no joy to date. I have been pointed at the “cookie notice on our website”. I have been met with deafening silence. Not once have I received the information requested despite my requests being quite simple – “Please tell me more about the third-party cookies you drop on the devices of visitors to my website. I want to know how they work, what information they collect and how I can manage them.”
Coming to the end of the road
It’s not hard to conclude cookies are a dark art and you need a cookie wizarding degree to figure them out properly.
At this stage, I have spent a lot of time on this topic. I am still frustrated by the lack of information – or rather by the overwhelming difficulty accessing the information. I am still frustrated by the fact that you can’t use some (very prominent) internet services and meet all your compliance requirements without implementing some very convoluted workarounds.
But at least I am gradually mastering the topic and I am pleased to say that I have managed to get a couple of clients over the line – with a lot of help along the way from a few very engaged web developers and marketing people (you know who you are and thank you!).
This has been an eye-opening journey. I have changed my behaviour online because of some of the things I’ve learned. I now know for certain that cookie banners are more than an annoying tick-box compliance exercise, they are a very imperfect defence against a sea of tracking that is going on.
What can I pass on to you from all that I have learned?
- Read the DPC report carefully and understand the expectations that are clearly laid out in there.
- Take note of the October compliance deadline in the DPC report and ensure you tackle this in time to be compliant.
- Get a good cookie management tool in place that: (1) is capable of gathering GDPR compliant consent. (2) is always accessible to your website users so that they can withdraw consent if they choose to do so. (3) does what it says on the tin. Don’t drop any cookies before the user accepts them and ensure they are removed if consent is later withdrawn.
- Review your cookies and ensure you are not dropping more cookies than you need to – and ensure you have reasonable retention periods set on them that are in line with the purposes for processing.
- Draft up a good cookie notice that clearly explains what cookies your website drops and the purposes for processing for each of those cookies.
- Get some change management processes in place to ensure that any future changes to your cookies are handled correctly.
- You may need a guidance document that sets out the standards you require to be met. This would be particularly important if your organisation has multiple web properties. You need to determine what types of cookies are acceptable.
- And finally elevate this to your senior management team. Make sure they understand what is happening here and what the risks are. I have been on websites where I am convinced no member of the senior management team ever questioned the what, why and how much of the cookies that are dropped by their sites – because if they did I think those websites would behave a lot differently than they currently do.
While it’s harder than it should be to get your cookie house in order – mainly due to lack of clear information from almost all of the major internet players who are the source of those 3rd Party Cookies that get dropped on your users devices – its not impossible. It just takes some time and attention and a small pinch of dogged determination!