Clear up your Cookie Crumbs!
Some say, the name for internet cookies came from the fairy tale about two children called Hansel and Gretel. The children were able to mark their trail through a dark forest by dropping ‘cookie crumbs’ behind them so that they could see where they had been. There are a number of other theories as to the origins of the internet cookie. But, irrespective of how they emerged, internet cookies are a fact of browsing life, whether that’s to enable ‘a better browsing experience’, analyse our activities online or to provide us with targeted marketing. They can inhabit our computers, unseen, until we delete them.
Now, I’m not a Cookie expert, nor am I a web developer, but as I engage clients in relation to assessing their compliance with the General Data Protection Regulations (GDPR), I find myself getting more familiar with them as I ask questions of senior managers in companies and their web developers. Questions like, “What Cookies are deployed on your website?” or, “Is the aggregated data sent to Google Analytics irreversible anonymised?”, “How do you store consent?”. Now, it may come as no surprise that the majority of website owners just don’t know what a Cookie is, let alone what it does and if they even have any! I’m also quite surprised (and slightly worried) that I have encountered some DIY web developers that also don’t know.
So why am I so interested? I’m a security consultant and focussed on Data Privacy and the implementation of the new General Data Protection Regulations (GDPR). The GDPR represents a major shakeup of data protection and has already passed into UK law, being enacted on the 25th May 2018. If you are anybody offering goods or services, for payment or for free, then I’d encourage you to read on.
This new law, drawn from good practice across Europe, including the UK’s Data Protection Act, takes into account the digital age and the higher risks ordinary people face when companies and organisations play fast and loose with their data. After all, why should we just accept that it’s a fact of life to receive scam emails or risk having our identities stolen? We are all Data Subjects and we should all expect the highest standards of data protection form those we entrust with it!
In summary, the GDPR aims to prevent security breaches and the loss of personal data by organisations that hold or process Personally Identifiable Information (PII) and it affects any organisation that offers goods or services (even free ones) or monitors the behaviour of EU citizens. PII is redefined and such is its modernity, not only does it include name, address, and the usual suspects that identify us, but also email addresses, IP addresses, Location Data, Biometric and Genetic Data (for identification purposes) to name but a few. Remember also, processing data is defined as obtaining, recording, or holding the information or data or carrying out any operation or set of operations on the information or data. So, someone’s CV sitting on your computer drive? Client information on the CRM? Staff information on the HR system? Please don’t make the mistake of thinking this is just an IT issue, it applies to all PII whether held on paper or computer document/ file.
The scope of the GDPR is much wider than our Data Protection Act (DPA). The GDPR protects the data of EU citizens regardless of whether the company is EU based or not. Brexit is irrelevant as unless the UK has a Data Privacy law deemed adequate by the EU, UK organisations will not be able to send data into, or receive from the EU. Whilst on the subject, the UK Government is currently passing a new Data Protection Bill through the House of Lords which, when passed as an Act will enshrine the GDPR into standalone UK law.
Now, I actually think that taking care of people’s data is fundamentally a good thing to do, but in case you think that non-compliance is a risk worth taking, data controllers and data processors can be jointly held responsible for data breaches and incur fines. To keep your interest, the fines for contravention of the regulations are tiered. The top tier offences carry a fine of 20m Euros or 4% of the previous year’s annual turnover!
To get back onto the subject of Cookies, it’s not only the GDPR that regulates their use, in fact the Privacy and Electronic Communications Regulations (PECR) 2003 are instrumental in setting the parameters. The big (if not new) news is that these regulations too are about to be overhauled by the EU with the intention not only aligning with the GDPR, but also implementation on the same date! Importantly, within the draft new regulations, there is an acceptance that users are overloaded with Cookie Banners and often accept cookies without looking at the privacy statements on offer. The intention is then to facilitate greater controls through browser settings with a default setting not to accept cookies therefore making the storing of information on the terminal equipment by third parties prohibited. I’m sure that will have implications for websites that rely heavily on 3rd party marketing and analytical cookies!
The point is that our personal information is being collected for a variety of purpose and many of us sleepwalk into allowing it to happen, mostly through our own impatience to get to what we want to buy/ browse! As data subjects, we need to be more aware of what we are allowing to be collected and those who place cookies on our machines, please clear up after you.