Updated: May 24
Today, I'd like to talk to you about the following topics:
Your website as a professional online presence
Your cookies and when you need the consent of the visitor
Your consent management and why it is so important for your business
Your Website As a Professional Online Presence
If you google that heading, you will find
information about "How to hire professionals for building your website", "Why your online presence matters", "How to brand yourself or how to create content", or "How to improve your website strategically".
If you are the owner of an internet domain, then your site will normally consist of different web pages. Nowadays, it is typical that your website or the cookies that you use on your own website collect sensitive personal data.
That also means that you need to have a legal base to collect information and that
you are affected by different data protection laws.
Do you think that your website isn't collecting data? Did you just use a website builder? Perhaps you are only creating web content, or you didn't add advanced functionality?
In all of these cases it is your responsibility to comply with the specific data protection regulations. If you fail, there is a high risk of being penalized. And it won't help you to ignore the facts. You’re still responsible and accountable.
So, keep in mind that it is normal that a website collects data.
Examples For Data Collection
Data hosting by an external company
The use of plugins
Social media buttons on your website
Furthermore, it is very important to understand that you need to consider the location of your customers.
In reality, it is not the location of the business, but rather the location of the customers that matters. So, keep always in mind that data protection regulations often have a territorial scope.
Your business is based in the US, and you trade your goods both in the US and with customers in Europe? For customers who live in Europe, you MUST observe the requirements of the GDPR (Territorial scope principle - GDPR Art. 3 No. 2).
If you don't do this, it can lead to high fines - "... up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher." (Art. 83, No 6 GDPR)
In the beginning of this regulation, companies were fined at a very slow pace. But actually, it has become stricter.
Data Protection Laws
The same applies to you, if you collect personal data through your app. But even if you are not affected by such laws, it is a good way to build trust with your users.
Recent data privacy statistics point out that the demand from internet users for transparency from companies is higher than ever.
As the GDPR is very complex, I'd like to give you same examples about when you are affected by the GDPR:
Are you an online store in Europe? Or are you selling online and ship goods from the US to Europe? Do you have a member login in your online store where you process data from people who live in Europe?
App or Website Platform
Are you the owner of an app or website platform which is processing data from people who are located in Europe? Does your app process certain information from people who are affected by European law?
Are you a real estate company in the US? Do you process data from people who are Europeans or are located in Europe? Do you target the European market with your marketing activities?
In all of these situations, you can be affected by the GDPR.
And if you are dealing with people from California or if you are located in California, then the same applies regarding the CCPA.
Which informations are collected from users or from other sources?
How do you process data?
How and why do you gather that data?
Lawful bases of data processing
How do you use it?
Do you share data with third parties?
Are you using cookies or plugins? How do you handle social logins?
How long do you store the data of your visitors?
Is the data secured through specific security measures?
Do you collect data from minors?
What are the rights of the user?
Is your data transferred internationally?
Cookies and other similar forms of data tracking are considered personal data and should also be outlined in your policy. Let me give you some further examples.
Information That You Collect From Users
Names, phone numbers, email addresses, mailing addresses, job titles, usernames, passwords, contact preferences, contact or authentication data, billing addresses, debit/credit card numbers, financial data, information revealing race or ethnic origin, information revealing religious or philosophical beliefs, information revealing trade union membership, student data...
How and When Do You Gather That Data?
There are different situations and occasions in which you are processing information from your visitors. Below are some examples:
To deliver and facilitate delivery of services to the user
To respond to user inquiries / offer support to users
To send administrative information to users
To fulfill and manage orders
To deliver targeted advertising to customers
To protect services
To determine the effectiveness of marketing and promotional campaigns
To request feedback
To send marketing and promotional communications
Lawful Bases of Data Processing (Art. 6 GDPR)
Consent. Consent means that the users of your website have given you permission to use their personal information for a specific purpose. Consent can be withdrawn at any time.
Performance of a Contract. You are allowed to process your personal information if you believe that it is necessary to fulfill contractual obligations to your customer. At this point, it is very important to check what you are allowed to do based on the contract and what data is processed by your website.
Legitimate Interests. Data processing can also be based on legitimate interests. In this case, it is necessary to make a comparison between your legitimate business interests and the interests of your site visitors (e.g., fundamental rights and freedoms).
In addition, data can be processed based on legal obligations and vital interests. As those aspects are not so common, I will skip this for now. You can find this specific information in Art. 6 (1c/1d/1e).
Informations About the Data Collected
Explaining the usage of the collected data helps the users to understand why you want to have their consent and to understand what you do with the data collected. Furthermore, it shows that you’re a trustworthy person and that you take data protection seriously.
There is a whole bunch of situations in day-to-day business when you share information with third parties. For example:
Data can be shared or transferred in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of the business to another company.
In this section, you should inform the user about his informational rights. Informational rights may vary from user to user. Users in the EU, UK, Canada, and California may have specific rights. It is your obligation to inform your website visitors about their specific rights.
Why Is This Important For Internet Users?
If internet users use the services of your web pages frequently, then you are successful in business. Your customers may use your services to search specific articles, to purchase those articles and they provide personal information to your website and trust you. If users trust you, then it is your responsibility to use specific security measures.
If you don't do this, there is a high chance of a security breach.
And in addition, you will definitely lose trust. Perhaps the users will stop using your services or will try to penalize you.
For example, if you use a large PDF file on your website, then it might be a better idea to use a small file on your mobile website as people might visit your website by using their mobile phone. And it is even better to provide informations on a mobile website in other forms than a PDF file.
Your Cookies and What Is Necessary to Collect Information Through Cookies
OK, to make that clear: we are not talking about something to eat, and we are not baking cookies! 😉
They contain a so-called cookie ID which is a unique identifier. It consists of a character string through which internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored.
This allows visited internet sites and servers to differentiate the individual browser of the data subject from other internet browsers that contain other cookies. A specific internet browser can be recognized and identified using the unique cookie ID.
Cookies can provide the users of this website with more user-friendly services. Furthermore, the information and offers on websites can be optimized. Cookies are also used for consent management by storing and recognizing website users. Advantages of cookies are for example:
Cookie in an online shop can be used as a shopping cart to remember the articles that a customer has placed in the virtual shopping cart
And finally, cookies can be deleted by the users.
So in a nutshell, we can say that cookies can be useful as they support the customers’ needs and help him to visit the website in the best possible way. But it must also be stated that cookies store a lot of additional information which can be analyzed and used to address the user in a specific way when he visits the website the next time.
Please don't look up how many websites are acting in wrong ways or just illegally. Always take care of your own responsibilities! Otherwise, you can be subject to extremely high fines. Therefore, keep in mind that the information collected must be lawful.
You can find a lot of information about lawful data processing in the following blog articles:
Art. 6 (1a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Art. 6 (1f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
So, we only have two aspects where consent or processing is necessary.
According to this,
a cookie banner must provide information about all processes that require consent and the possibility of revocation, which must then also be technically implemented;
the requested consent must not be anticipated, for example by pre-filled checkboxes;
the primary feature of how a cookie banner works must be that all data processing operations that require consent only become active after positive confirmation of the cookie banner;
Additional Information About Cookies
In detail, the EDPB addresses popular methods of obtaining consent from website visitors:
“Cookie walls”, a pop-up that prevents the user from entering or interacting with the site at all. Access is only possible if the user accepts the cookies. In the opinion of the EDPB, this is inadmissible, since "consent" given in this way is not voluntary. The user is given no real choice at all.
The EDPB also found implied consent to be inadmissible. For example, some website operators construct user consent by interacting with the website, e.g. by clicking or scrolling. Such actions are neither "clearly affirmative" nor "unmistakable" - both criteria that Recital 32 requires for effective consent. Apart from that, there is practically no possibility of revoking the consent given. According to Art. 7 GDPR, this must be "as simple as giving consent".
"Dark Patterns" are designs that are designed to entice the user to take certain actions that deviate from their actual intention. In connection with cookie banners, dark patterns aim to persuade the user to consent to data processing. For example, website operators use dark patterns in such a way that rejecting cookies becomes as unattractive as possible. Common examples from practice offer the user the option of either accepting cookies or editing the cookie settings manually via two buttons. The average user will simply click away the cookie banner by accepting it. However, he did not give his consent to this voluntarily and in an informed manner.
Judgement of the ECJ
ECJ, Az. C-673/17) https://gdprhub.eu/CJEU_-_C-673/17_-_Planet49 - https://curia.europa.eu/juris/document/document.jsf?docid=218462&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=14739047
The judgment only refers to cookies that require consent under letter A according to the GDPR. This means that all services that are justified solely by legitimate interest are excluded.
For better understanding:
Technically Necessary Cookies & Performance Cookies
Technically, "necessary" refers to cookies that are necessary to be able to offer a service at all. This would be the shopping cart cookie for online shopping, for example. It remembers which products you have placed in the shopping cart. Your website will not work without such services, which is why technically necessary cookies can never be rejected.
Legitimate interest includes services that, while not technically necessary, are still processed with the legal basis of legitimate interest. This applies to cookies that are necessary for performance / security or that offer the user an advantage, for example the integration of Google Maps or YouTube videos in a safe mode.
You need consent for services that track activities on your website - for example Google Analytics or the Facebook Pixel. Of course, your website would also work without these services.
Technically necessary cookies as well as cookies for performance / security or specific user benefits therefore fall under the consent standard of legitimate interest and because of that, do not require consent.
However, it should always be viewed very critically as this is also the case from the user's point of view. There is also a documentation and storage obligation.
Cookies For Tracking / Marketing / Statistics
Always require consent in accordance with Art. 6 (1f) GDPR. In this context, it should be noted that consent must be given voluntarily and in an informed form and manner, otherwise the consent is not effective. Due to that, the supervisory authority has declared many cookie banners to be illegal.
First Party Cookies & Third-Party Cookies
Cookies have different functions and can be used for the privacy and anonymity of web users.
Cookies that belong to the same domain names as the one shown in the address bar are first party cookies.
Cookies that belong to a different domain as the one shown in the address bar are third party cookies.
Typical examples for third party cookies are advertisements from different websites or external analytic tools.
If cookies are not technically necessary, you need the consent of the visitor and due to that, you need a cookie consent management tool.
You also need the consent of the user, if you use flags, fingerprints, plugins, unique identifiers, or different digital files to store information about your customer instead of cookies.
Your Consent Management and Why It Is So Important For Your Business
What Does a Consent Management Tool Do?
OK, let's imagine the following situation. A user visits your website, and your cookie banner shows up. The user gives his consent to all forms of cookies.
As the GDPR states that you as the controller of the website are responsible and accountable for all data processing activities, you need to store this information. Furthermore, you have a documentation and storage obligation.
So, if the visitor him- or herself or the supervisory authority asks you to declare that you have legally tracked the visitor when visiting your website, you must be able to obtain this consent information.
Which tool you use for consent management depends on different aspects and maybe I will write about the best consent management tool in a future article.
In short, we can say that a consent management tool stores the consent information of every visitor of your website as long as he gives you full consent or partial consent to your website. The consent management tool will store this information for a specific duration.
As the owner of a website, you are responsible and accountable for any data processing on your website. Therefore, you should take care of the following points:
Where and to whom do you offer your services?
What data do you process?
Which security measures do you use to ensure the security of processing?
Which cookies do you use on your website? Which data is processed through cookies or other digital identifiers?
Do you use a consent management tool?
If you have any questions, feel free to contact me.