Have you wondered how search items on your browser history are presented to you, even after a few days, in the form of advertisements or sponsored content? The answer to this is “cookies”, or tiny text files that are downloaded on your device when it’s connected to the internet.
Globally, data privacy, data protection and cyber laws are picking up steam, and forming a critical part of organizations’ day-to-day operations. From an individual standpoint, it is imperative they know that personal data, like IP addresses and other sets of information collected by cookies, is not a corporate asset, but an asset owned by the individual.
With Data Privacy Day being observed on 28 January 2019, it seems to be an apt time to understand the implications of the cookie – consent conundrum.
When “cookies” take centre stage
Cookies enable websites to identify a user’s device and store some information about their preferences or historical actions. While not all cookies can be used to identify users, most of them do and may be within the purview of various international data privacy laws or regulations. This includes cookies for analytics, advertising and other services such as feedback surveys as well as chat bots.
Cookies are generally divided into two categories: primary and secondary.
- Primary cookies are crucial and essential for providing information requested by the user
- Secondary cookies can be considered non-crucial and use multiple aspects for analytics including advertisers or third parties. These can recognize users when they come back to a specific website.
Typically, cookies are released and subsequently tracked after a user lands on a website. This could a potential concern for organizations as it would fall under the ambit of most global privacy laws, particularly General Data Protection Regulation (GDPR). Almost all global data privacy laws target the secondary type of cookies.
Catching up with the consent debate
Organizations need to take responsibility and be accountable to make consent information (for processing and storing personal data) freely available. The consent notice should cover all possible facets – collection, processing, transfer, retention and discarding the data. Users should be unequivocally apprised of the organization’s plan to use their personal data when seeking permission to send them future communication. Website access as well as services offered cannot be restricted if users do not give consent.
Compliance with cookie – consent notices
Data privacy concerns need to be addressed at a macro level and organizations could explore implementing holistic data and information governance programs. These are processes, defined by policies and enabled by technologies that can empower organizations to agile and intelligent business decisions. Organizations can also reap the benefits by enhancing the value of information assets and at the same time, deterring related risks and costs. A well-articulated and robust information governance program can boost the data privacy measures by identifying “C-ROT”, which implies information that is “Critical – Redundant, Outdated or Trivial”. Finding and treating such data sets can be critical for data management, allowing data owners to get rid of the obviously “bad” data and improving security.
From an individual perspective, spend those extra 10 seconds to check and update the website’s cookie settings to minimize the risks of data privacy.