Consent to using cookies is “baked” in the GDPR

Recently, you may have noticed when you log onto a company’s website or an Application (App) like Google or Twitter, there are alerts that their terms and conditions have been revised, or their privacy policy has been updated. You might also be inundated with requests for your consent to the use of cookies when visiting their site (refer to the examples below).

Example 1: ”Cookies on JohnLewis.com

Source: www.johnlewis.com accessed 3 May 2018

These types of notices are likely due to the fact that the General Data Protection Regulation (GDRP), which was passed by the European Union in 2016 and is coming into effect on May 25, 2018.

Example 2 of www.Barbour.com/uk request for consent to using of cookies on their website

Source: https://www.barbour.com/uk accessed 3 May 2018

The GDPR is a new digital privacy regulation which standardizes different privacy legislation across the EU. It is a legally binding regulation. Ignoring it could lead to fines of 4% of a company’s global turnover, or fines up to £17.6 million (20 million Euros) whichever is higher.

Explicit and informed consent is now required if a company wants to collect any personal data about a European citizen. This is not just having individuals check a consent box on the company’s website. A company will have to inform individuals exactly where their data is going. As well, individuals always have the right to say “NO” to their data being collected, that is, a company can’t stop an individual from using its website just because the individual does not consent to the company’s collection of his or her personal data. In the past, individuals would likely agree to a trade-off, that is, you can collect my data if I can use your site or use your app. That has now changed.

The GDPR provides individuals with the right to access their own data that the company has collected and individuals also have the ability to request that their data be deleted. Companies will be limited in the amount of personal data they can collect to that which is actually needed for specified and legitimate purposes.

Example 3: www.Cadbury.co.uk’s “Accept the use of cookies”

Source: https://www.cadbury.co.uk accessed 3 May 2018

Interestingly, even if a company is based in Australia, for example, the rules of the GDPR apply to them if a European citizen visits the company’s website or uses the company’s apps. So companies will need to be compliant with the GDPR even if they are based outside of Europe.

There is also special protection for children’s personal data. Companies who offer online services to children may need to obtain a parent’s or guardian’s consent in order to collect the child’s data, unless the child is 16 or over (although this may be lowered to 13 years old in the U.K.).

GDPR Basics for Marketers:

  • Ask for consent every time you collect data from someone, including tracking cookies – if you do not get consent you cannot track or collect it. Develop a way to track consent.
  • If people supply personal data on your website, then you need to make sure you have a way to provide this data back to people if they ask for it.
  • You will need a way to delete data, if requested to do so.
  • You may need to put systems in place that can verify individuals’ ages and a method to obtain parental or guardian consent, if required.

*For more information on the GDPR, please see Information Commissioner’s Office website at: https://ico.org.uk/

*Be sure to obtain legal advice. This content is meant only for educational purposes

Fatimah Moran, Senior Lecturer at Staffordshire Business School

Undergraduate courses

Postgraduate courses