Data Privacy Day – control “cookies” before you consent

Have you wondered how search items on your browser history are presented to you, even after a few days, in the form of advertisements or sponsored content? The answer to this is “cookies”, or tiny text files that are downloaded on your device when it’s connected to the internet.

Globally, data privacy, data protection and cyber laws are picking up steam, and forming a critical part of organizations’ day-to-day operations. From an individual standpoint, it is imperative they know that personal data, like IP addresses and other sets of information collected by cookies, is not a corporate asset, but an asset owned by the individual.

With Data Privacy Day being observed on 28 January 2019, it seems to be an apt time to understand the implications of the cookie – consent conundrum.

When “cookies” take centre stage

Cookies enable websites to identify a user’s device and store some information about their preferences or historical actions. While not all cookies can be used to identify users, most of them do and may be within the purview of various international data privacy laws or regulations. This includes cookies for analytics, advertising and other services such as feedback surveys as well as chat bots.

Cookies are generally divided into two categories: primary and secondary.

  • Primary cookies are crucial and essential for providing information requested by the user
  • Secondary cookies can be considered non-crucial and use multiple aspects for analytics including advertisers or third parties. These can recognize users when they come back to a specific website.

Typically, cookies are released and subsequently tracked after a user lands on a website. This could a potential concern for organizations as it would fall under the ambit of most global privacy laws, particularly General Data Protection Regulation (GDPR). Almost all global data privacy laws target the secondary type of cookies.

Catching up with the consent debate

Privacy should be protected – individuals need to be more aware and responsible while browsing the internet. The gospel should be to avoid taking short cuts, and reading through the site’s cookie policy, privacy and consent notice. Not all websites tend to display a cookie policy with details of the nature and reason for collecting data. Hence, individuals should act responsibly and flag off anything deemed unethical or dubious to the right authorities. Consent to access and use of personal data needs to be given with care. The reality is that it is not necessary to provide consent for all requests. Therefore, it’s imperative to be prudent, read the fine print and provide consent for perhaps only limited options.

Organizations need to take responsibility and be accountable to make consent information (for processing and storing personal data) freely available. The consent notice should cover all possible facets – collection, processing, transfer, retention and discarding the data. Users should be unequivocally apprised of the organization’s plan to use their personal data when seeking permission to send them future communication. Website access as well as services offered cannot be restricted if users do not give consent.

Compliance with cookie – consent notices

The rule of thumb is quite simple: cookies can be used to distinctively identify a specific user and should therefore be considered personal data. Global as well as Indian organizations should update their website’s cookie policy along with the consent form, whenever the purpose of usage changes. In addition, periodic risk assessments should be conducted to assess the process and maintain controls.

Data privacy concerns need to be addressed at a macro level and organizations could explore implementing holistic data and information governance programs. These are processes, defined by policies and enabled by technologies that can empower organizations to agile and intelligent business decisions. Organizations can also reap the benefits by enhancing the value of information assets and at the same time, deterring related risks and costs. A well-articulated and robust information governance program can boost the data privacy measures by identifying “C-ROT”, which implies information that is “Critical – Redundant, Outdated or Trivial”. Finding and treating such data sets can be critical for data management, allowing data owners to get rid of the obviously “bad” data and improving security.

From an individual perspective, spend those extra 10 seconds to check and update the website’s cookie settings to minimize the risks of data privacy.