European Union and the GDPR’s Cookie Conundrum
Two years on, the EU is attempting to revamp its cookie consent policies introduced as a part of the General Data Protection Regulation to prevent circumvention
Cookies have always been a crusty subject for the European Union.
Two years ago on May 25, 2018, the General Data Protection Regulation came into effect across the European Union, flooding mailboxes of millions of users with emails from websites that they’d interacted with, informing of the recent changes to “privacy policies” that required their consent to keep them in their mailing lists.
The European Union unequivocally states that data protection is a fundamental right and treats it as such. In relation, the Treaty on the Functioning of the European Union (TFEU) provides “everyone has the right to the protection of personal data concerning him or her.”
The guiding principle behind the European Union’s GDPR is to consolidate the right of an individual to protect their personal data. The GDPR gives individuals more control over how their data is collected, utilised, and compels companies to justify everything that it uses the data for. The violation of the regulation could potentially cost a company a fine up to 10 million euros or 2% of its entire global turnover, whichever may be higher.
While the territorial scope of the legislation is limited to the firms or establishments processing data in the European Union, the regulation has an extra-territorial reach. Even if a company is not based or established in the EU, the GDPR can still apply to the company if it has a market in the member states of the Union or monitors their behaviour. Hence, even if a firm is based out of Europe, it is compelled to take personal data of the Europeans seriously.
The General Data Protection Regulation of 2018 made Europe the epicentre of the quake that brought data and privacy reforms and made multi-billion dollar companies across the world take a second look into how it handles users’ private data, including how it’s used.
But history has testified, if there’s a million to one chance to breach your privacy, then there’s a million working on it already; and one isn’t too far from succeeding.
The Cookie Conundrum and EU’s Response
If you’ve ever wondered how on earth you started receiving ads for items on your shopping cart on Amazon next to your news feed on Facebook, chances are you’ve unwittingly offered your cookies too (the only kind you’d want to share).
‘Cookies’ or ‘magic cookies’ is a term used for small packets of data your system receives, which is sent back without alteration. Cookies allow businesses to delve into important insight relating to the users’ online activity by collecting information about pages they visit, hyperlinks they click on and the languages they prefer. Some cookies referred to as ‘marketing cookies’ track your online activity to help advertisers deliver more relevant advertising about the products and services you’re interested in and are responsible for your Amazon searches making it to your Facebook timeline.
Most cookies, such as statistics cookies are harmless and are used for data analytics by storing aggregated data, which further aid the decision-making processes of a firm. However, some cookies can be used to identify a user, which according to the EU, can be used “to create profiles of the natural persons and identify them.”
Under the GDPR and the ePrivacy Directive that govern cookies, a website must receive users’ consent before using any cookies and provide accurate and specific information pertaining the purpose for obtaining the same in layman’s terms. However, a series of unruly practices to circumvent the cookie laws emerged shortly after the implementation of EU’s regulations that may very well identify and track any user, one of the more frequently encountered being the infamous ‘cookie walls’.
‘Cookie walls’ on websites make so much as scrolling and browsing the content displayed on their pages contingent on a user’s consent to be tracked. This effectively renders EU’s cookie consent policy redundant by taking away the user’s free will in choosing whether or not they consent to be tracked; which according to the Union does not constitute as valid consent. To patch this special modus operandi of exploitation, the Union had to publish updated guidelines, which came to be adopted on May 4.
Clearly, the world continues to struggle to understand the subtlety of consent.