top of page

Dealing with the GDPR Part 3 - Website, Privacy Policy, Cookies & Consent Management

Updated: May 24, 2023

Today, I'd like to talk to you about the following topics:

  • Your website as a professional online presence

  • Your privacy policy and why it is important for internet users

  • Your cookies and when you need the consent of the visitor

  • Your consent management and why it is so important for your business

Your Website As a Professional Online Presence

Professional Onlince Presence

If you google that heading, you will find

information about "How to hire professionals for building your website", "Why your online presence matters", "How to brand yourself or how to create content", or "How to improve your website strategically".

Furthermore, you can find a lot of online generators for building up your privacy policy, if you google "website and privacy policy".

But Why Is It Necessary to Have a Privacy Policy on Your Website?

If you are the owner of an internet domain, then your site will normally consist of different web pages. Nowadays, it is typical that your website or the cookies that you use on your own website collect sensitive personal data.

That also means that you need to have a legal base to collect information and that

you are affected by different data protection laws.

Why Is It Necessary to Have a Privacy Policy on Your Website?

Do you think that your website isn't collecting data? Did you just use a website builder? Perhaps you are only creating web content, or you didn't add advanced functionality?

In all of these cases it is your responsibility to comply with the specific data protection regulations. If you fail, there is a high risk of being penalized. And it won't help you to ignore the facts. You’re still responsible and accountable.

So, keep in mind that it is normal that a website collects data.

Examples For Data Collection

  • Data hosting by an external company

  • The use of plugins

  • Social media buttons on your website

  • Analytics tools

Furthermore, it is very important to understand that you need to consider the location of your customers.

In reality, it is not the location of the business, but rather the location of the customers that matters. So, keep always in mind that data protection regulations often have a territorial scope.

High fines

Your business is based in the US, and you trade your goods both in the US and with customers in Europe? For customers who live in Europe, you MUST observe the requirements of the GDPR (Territorial scope principle - GDPR Art. 3 No. 2).

If you don't do this, it can lead to high fines - "... up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher." (Art. 83, No 6 GDPR)

In the beginning of this regulation, companies were fined at a very slow pace. But actually, it has become stricter.

But let's first take a look at the privacy policy requirements.

Data Protection Laws

Data Protection Laws

In general, we can say that a website’s privacy policy outlines how you process

your visitors’ personal information. Process means to collect, use, share, store, or delete, e.g. Data protection laws like the General Data Privacy Regulation (GDPR) or the California Consumer Privacy Act (CCPA) require a privacy policy because your own website collects information and due to that, it is your duty to inform the user about different aspects.

The same applies to you, if you collect personal data through your app. But even if you are not affected by such laws, it is a good way to build trust with your users.

Recent data privacy statistics point out that the demand from internet users for transparency from companies is higher than ever.

Examples For the Need Of a Privacy Policy

As the GDPR is very complex, I'd like to give you same examples about when you are affected by the GDPR:

Online Store

Are you an online store in Europe? Or are you selling online and ship goods from the US to Europe? Do you have a member login in your online store where you process data from people who live in Europe?

App or Website Platform

Are you the owner of an app or website platform which is processing data from people who are located in Europe? Does your app process certain information from people who are affected by European law?

Real Estate

Are you a real estate company in the US? Do you process data from people who are Europeans or are located in Europe? Do you target the European market with your marketing activities?

In all of these situations, you can be affected by the GDPR.

And if you are dealing with people from California or if you are located in California, then the same applies regarding the CCPA.

All in all, we can say that there are certain circumstances that lead to the fact, that you are affected by the GDPR. Due to that, you need to create a privacy policy.

Your Privacy Policy and Why It Is Important For Internet Users

Your Privacy Policy and Why It Is Important For Internet Users

As I mentioned above, you can be affected by the GDPR or CCPA through different scenarios. The privacy policy helps you in keeping your web page compliant. Furthermore, it is a good way for you to give your customers additional information about your data processing practices. Those specific information will also help you in being recognized as a trustworthy and transparent organization.

What Is the Content Of a Privacy Policy?

  • Which informations are collected from users or from other sources?

  • How do you process data?

  • How and why do you gather that data?

  • Lawful bases of data processing

  • How do you use it?

  • Do you share data with third parties?

  • Are you using cookies or plugins? How do you handle social logins?

  • How long do you store the data of your visitors?

  • Is the data secured through specific security measures?

  • Do you collect data from minors?

  • What are the rights of the user?

  • Is your data transferred internationally?

Cookies and other similar forms of data tracking are considered personal data and should also be outlined in your policy. Let me give you some further examples.

Information That You Collect From Users

Names, phone numbers, email addresses, mailing addresses, job titles, usernames, passwords, contact preferences, contact or authentication data, billing addresses, debit/credit card numbers, financial data, information revealing race or ethnic origin, information revealing religious or philosophical beliefs, information revealing trade union membership, student data...

How and When Do You Gather That Data?

There are different situations and occasions in which you are processing information from your visitors. Below are some examples:

  • To deliver and facilitate delivery of services to the user

  • To respond to user inquiries / offer support to users

  • To send administrative information to users

  • To fulfill and manage orders

  • To deliver targeted advertising to customers

  • To protect services

  • To determine the effectiveness of marketing and promotional campaigns

  • To request feedback

  • To send marketing and promotional communications

Lawful Bases of Data Processing

Lawful Bases of Data Processing (Art. 6 GDPR)

  • Consent. Consent means that the users of your website have given you permission to use their personal information for a specific purpose. Consent can be withdrawn at any time.

  • Performance of a Contract. You are allowed to process your personal information if you believe that it is necessary to fulfill contractual obligations to your customer. At this point, it is very important to check what you are allowed to do based on the contract and what data is processed by your website.

  • Legitimate Interests. Data processing can also be based on legitimate interests. In this case, it is necessary to make a comparison between your legitimate business interests and the interests of your site visitors (e.g., fundamental rights and freedoms).

In addition, data can be processed based on legal obligations and vital interests. As those aspects are not so common, I will skip this for now. You can find this specific information in Art. 6 (1c/1d/1e).

Informations About the Data Collected

Explaining the usage of the collected data helps the users to understand why you want to have their consent and to understand what you do with the data collected. Furthermore, it shows that you’re a trustworthy person and that you take data protection seriously.

Third Parties

There is a whole bunch of situations in day-to-day business when you share information with third parties. For example:

Data can be shared or transferred in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of the business to another company.

Furthermore, data can be shared through third party cookies or plugins. If you use third party cookies or social media buttons, you should always be aware which data is processed by that cookie / plugin and you should inform your customers about these specific cookies / plugins in your privacy policy or cookie policy.

User Rights

In this section, you should inform the user about his informational rights. Informational rights may vary from user to user. Users in the EU, UK, Canada, and California may have specific rights. It is your obligation to inform your website visitors about their specific rights.

Why Is This Important For Internet Users?

If internet users use the services of your web pages frequently, then you are successful in business. Your customers may use your services to search specific articles, to purchase those articles and they provide personal information to your website and trust you. If users trust you, then it is your responsibility to use specific security measures.

If you don't do this, there is a high chance of a security breach.

And in addition, you will definitely lose trust. Perhaps the users will stop using your services or will try to penalize you.

Due to that, it is not the best idea to use or copy any privacy policy from other websites. You can use customizable templates, or you can use a generator. You can find generators for privacy policies easily by using google.

Always make sure that you focus on the specific purposes of your company and link to the privacy policy from any website. This helps the visitors to access your privacy policy easily.

Beneath other content, it is important for your visitors to find the desired information in a clear structure and a plain language. If you like to give specific informations, you can use bullet points or headings to highlight these information. Keep also in mind that people use mobile devices to visit your website and that your privacy policy must work on every device.

For example, if you use a large PDF file on your website, then it might be a better idea to use a small file on your mobile website as people might visit your website by using their mobile phone. And it is even better to provide informations on a mobile website in other forms than a PDF file.

Your Cookies and What Is Necessary to Collect Information Through Cookies

Your Cookies and What Is Necessary to Collect Information Through Cookies

OK, to make that clear: we are not talking about something to eat, and we are not baking cookies! 😉

Cookies are small files that are used to store specific information. Most websites and servers use cookies.

They contain a so-called cookie ID which is a unique identifier. It consists of a character string through which internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored.

This allows visited internet sites and servers to differentiate the individual browser of the data subject from other internet browsers that contain other cookies. A specific internet browser can be recognized and identified using the unique cookie ID.

Cookies can provide the users of this website with more user-friendly services. Furthermore, the information and offers on websites can be optimized. Cookies are also used for consent management by storing and recognizing website users. Advantages of cookies are for example:

  • Visitors that use cookies do not have to enter access data each time

  • Cookie in an online shop can be used as a shopping cart to remember the articles that a customer has placed in the virtual shopping cart

And finally, cookies can be deleted by the users.

So in a nutshell, we can say that cookies can be useful as they support the customers’ needs and help him to visit the website in the best possible way. But it must also be stated that cookies store a lot of additional information which can be analyzed and used to address the user in a specific way when he visits the website the next time.

Is It Allowed to Use Cookies on Websites?

First of all, we can say that it is very common to use cookies on websites. But we must always keep in mind that cookies process data and due to that, we have to comply to applicable law.

Please don't look up how many websites are acting in wrong ways or just illegally. Always take care of your own responsibilities! Otherwise, you can be subject to extremely high fines. Therefore, keep in mind that the information collected must be lawful.

You can find a lot of information about lawful data processing in the following blog articles:

OK, let's go back to the question "Is it allowed to use cookies on websites?"

To use cookies in a lawful way, we need a legal basis. The legal basis is always found in Article 6 of the GDPR. There are two different options that we can use for the legal data processing:

  1. Art. 6 (1a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. Art. 6 (1f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

So, we only have two aspects where consent or processing is necessary.

According to this,

  • a cookie banner must provide information about all processes that require consent and the possibility of revocation, which must then also be technically implemented;

  • the requested consent must not be anticipated, for example by pre-filled checkboxes;

  • the primary feature of how a cookie banner works must be that all data processing operations that require consent only become active after positive confirmation of the cookie banner;

  • the banner must be displayed until an interaction occurs, but must not cover any essential functions of the website, in particular the links to the imprint or privacy policy.

Additional Information About Cookies

In detail, the EDPB addresses popular methods of obtaining consent from website visitors:

Cookie Walls

“Cookie walls”, a pop-up that prevents the user from entering or interacting with the site at all. Access is only possible if the user accepts the cookies. In the opinion of the EDPB, this is inadmissible, since "consent" given in this way is not voluntary. The user is given no real choice at all.

Implied Consent

The EDPB also found implied consent to be inadmissible. For example, some website operators construct user consent by interacting with the website, e.g. by clicking or scrolling. Such actions are neither "clearly affirmative" nor "unmistakable" - both criteria that Recital 32 requires for effective consent. Apart from that, there is practically no possibility of revoking the consent given. According to Art. 7 GDPR, this must be "as simple as giving consent".

Dark Patterns

"Dark Patterns" are designs that are designed to entice the user to take certain actions that deviate from their actual intention. In connection with cookie banners, dark patterns aim to persuade the user to consent to data processing. For example, website operators use dark patterns in such a way that rejecting cookies becomes as unattractive as possible. Common examples from practice offer the user the option of either accepting cookies or editing the cookie settings manually via two buttons. The average user will simply click away the cookie banner by accepting it. However, he did not give his consent to this voluntarily and in an informed manner.

Judgement of the ECJ

GDPR - Judgement of the ECJ

The judgment only refers to cookies that require consent under letter A according to the GDPR. This means that all services that are justified solely by legitimate interest are excluded.

For better understanding:

Technically Necessary Cookies & Performance Cookies

Technically, "necessary" refers to cookies that are necessary to be able to offer a service at all. This would be the shopping cart cookie for online shopping, for example. It remembers which products you have placed in the shopping cart. Your website will not work without such services, which is why technically necessary cookies can never be rejected.

Legitimate interest includes services that, while not technically necessary, are still processed with the legal basis of legitimate interest. This applies to cookies that are necessary for performance / security or that offer the user an advantage, for example the integration of Google Maps or YouTube videos in a safe mode.

You need consent for services that track activities on your website - for example Google Analytics or the Facebook Pixel. Of course, your website would also work without these services.

Technically necessary cookies as well as cookies for performance / security or specific user benefits therefore fall under the consent standard of legitimate interest and because of that, do not require consent.

However, it should always be viewed very critically as this is also the case from the user's point of view. There is also a documentation and storage obligation.

Cookies For Tracking / Marketing / Statistics

Always require consent in accordance with Art. 6 (1f) GDPR. In this context, it should be noted that consent must be given voluntarily and in an informed form and manner, otherwise the consent is not effective. Due to that, the supervisory authority has declared many cookie banners to be illegal.

First Party Cookies & Third-Party Cookies

Cookies have different functions and can be used for the privacy and anonymity of web users.

Cookies that belong to the same domain names as the one shown in the address bar are first party cookies.

Cookies that belong to a different domain as the one shown in the address bar are third party cookies.

Typical examples for third party cookies are advertisements from different websites or external analytic tools.

If cookies are not technically necessary, you need the consent of the visitor and due to that, you need a cookie consent management tool.

You also need the consent of the user, if you use flags, fingerprints, plugins, unique identifiers, or different digital files to store information about your customer instead of cookies.

Your Consent Management and Why It Is So Important For Your Business

Your Consent Management and Why It Is So Important For Your Business

If you use cookies on your website or if you process data of your visitors through specific tools on your site, then you will need to implement a consent management tool.

What Does a Consent Management Tool Do?

OK, let's imagine the following situation. A user visits your website, and your cookie banner shows up. The user gives his consent to all forms of cookies.

As the GDPR states that you as the controller of the website are responsible and accountable for all data processing activities, you need to store this information. Furthermore, you have a documentation and storage obligation.

So, if the visitor him- or herself or the supervisory authority asks you to declare that you have legally tracked the visitor when visiting your website, you must be able to obtain this consent information.

Which tool you use for consent management depends on different aspects and maybe I will write about the best consent management tool in a future article.

In short, we can say that a consent management tool stores the consent information of every visitor of your website as long as he gives you full consent or partial consent to your website. The consent management tool will store this information for a specific duration.

Let's Summarize

As the owner of a website, you are responsible and accountable for any data processing on your website. Therefore, you should take care of the following points:

  • Where and to whom do you offer your services?

  • What data do you process?

  • Which security measures do you use to ensure the security of processing?

  • Do you have a privacy policy?

  • Does the privacy policy meet the requirements of your business?

  • Which cookies do you use on your website? Which data is processed through cookies or other digital identifiers?

  • Do you use a consent management tool?

If you have any questions, feel free to contact me.

responsible and accountable for any data processing

31 views0 comments
bottom of page