GDPR, Cookies, Do Not Track, and a Clear Lack of Transparency
First a definition of Personal Data — Source Art.4(1)
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Now let’s step through an example by the numbers…starting with 0
It looks like the cookies are used by an analytics engine to measure the effectiveness and efficiency of the website. Hmmm I wonder what this means?
So, let’s follow the ‘crumbs’ from the cookie. Wow sure looks like a lot of information that they’re collecting. Of course, my first question is about the IP address… it’s anonymized — ok… so show me what that means? Did you take the actual IP address, anonymize it and then delete the actual, or do you keep a copy of both? How do I verify this?
From that they determine my geolocation — hmmm I don’t remember consenting to that information when I want to store a cookie about improving page efficiency. They then assign me a random unique visitor ID — hmmm again. How do they know it’s me? So, in effect the random ID is accurately determining at least where this computer is located. Which means they can track me.
Wait a minute — why do you need to store a cookie if I have Do Not Track turned on? You’re not tracking me, right? Well, let’s look at the actual cookie — it should be easy to read. Not so much. However, two things do jump out — A reference to Google and DoubleClick. The rest as they say, ‘is as clear as mud’.
If I send a Do Not Track signal it means do not track me in any way shape or form. If you are going to ask me to consent to cookies, then be very clear that your cookie statement aligns to what is IN the cookie ‘IN PLAIN ENGLISH’ (or the appropriate language).
GDPR is a contextual privacy regulation that requires the Web to recognize, respect and respond to each user’s personal context to enable meaningful consent. The operative words here are meaningful and consent. Just tell me the truth and you can earn my trust — hide the truth then you either lose my trust or never gain it.
For a Single Digital Market to thrive it needs trust — that comes from meaningful consent. Something to remember.
Here’s the $64-dollar question. If any of that information inside the cookie falls under the definition of Personal Data then ‘Houston, we have a problem’.
How could that happen?
For some organizations, the explicit inclusion of location data, online identifiers and genetic data within the definition of “personal data” may result in additional compliance obligations (e.g., for online advertising businesses, many types of cookies become personal data under the GDPR, because those cookies constitute “online identifiers”). Source
So, does it?