Either for research or for fun, we, as users, use websites. Generally, websites track users for analytics and marketing. Also, personal data can be subjected to being sold. For user behavior, cookies are the way to go. However, since it is collecting personal data, there must be an option on websites for opting out. In this article, we examined why cookies must be designed in a certain way and why it is essential.
Under General Regulation for Data Protection ("GDPR"), if the website in question processes any data from the user, the user must give explicit consent. Moreover, in the GDPR there are provisions about the form of consent.
Under Recital 30 of GDPR, cookies are classified as an online identifier tool that gathers data and allows the data controller to process it. Hence, as it is required for GDPR Art. 7, there must be explicit consent that can be withdrawn at any time by the user and must be freely given.
Also, under GDPR, it is stated that "consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data" which prohibits cookies that are implicitly given such as clicking a box to website not to process personal data.
An example of implicitly given consent can be opt-out cookies. In opt-out cookies, the user usually has to tick a box so that the personal data is not processed, or if the policy is not accepted, the user is directed to different pages. EU, with GDPR, encourages data controllers to use opt-in cookies and not force users to choose which cookies will be active and consequently directs the user to allow all the cookies that are on the website.
In one of the decisions given by the Turkish Data Protection Authority, it is stated that "In express consent declarations, opt-out, that is, a system in which the individual consents to the processing of their personal data by conscious action, should be used, not a system in which it is accepted that they automatically consent to the processing of personal data without the prior consent of the individual, and that allows individuals to remove this consent."
Creating a design that allows the user to choose between allowing or not allowing without any guidance to click the "allow" button is considered as complying with GDPR. It can seem really easy to comply, however, in a recent study carried out by Zendata 67% of US websites do not comply with GDPR.
In the study, 1000 top U.S. websites in Crunchbase are examined and the data showed that %67 of these websites do not comply with GDPR. The study showed that %43.22 of these websites do not provide an opt-out mechanism and %54.94 of the websites in question do not provide any notice for cookies on the first load of the page.
At the end of the day, not complying with EU regulations and GDPR may result in the violation of GDPR and fines of up to $120,000. While the monetary fines can be intimidating, it is easy to gather explicit consent that is freely given, not ambiguous, and clear with the right implementation and cookie policy.
Comments