Cyber security and privacy “snacking on cookies”

Most companies are in a state of confusion about the new EU laws regarding the use of cookies.  Indeed, the UK government have had to issue three clarifications over the last week, assuring businesses that they will have time to comply.

The UK’s privacy watchdog, the ICO, has stated that it could give companies up to a year to comply.  However, nothing has been set in stone.  In talking to my clients, very few are aware of the change, even fewer have plans to act.

Essentially a “cookie” is a small piece of tracking code stored on the computer of those accessing a website.  Storing a cookie locally, allows the business to better understand and track the device and user’s behaviour.  This enables them to target marketing in some cases, and keep information about individuals behaviour with messages such as “you recently viewed site/product X…so might like site/product Y…”. 

Of course at present few website users are even aware of the existence of the cookie stored on their machine, and indeed, those that switch them off in their browser settings often find this renders them unable to use online retail websites.  Even fewer users are aware that this information on their habits is, in a lot of cases, sold and given to advertising and marketing companies.

The use of cookies without permission from users by companies operating in the EU will now be illegal.  Internet companies, of the likes of Facebook and Google are particularly concerned over targeted advertising revenues, but this affects most online retailers (such as Amazon) or even suppliers such as online employee benefits providers, and other similar web portals.

Ways to comply could include;

  • Pop ups – displaying a message asking permission to collect data
  • Tracking icons – displaying an icon which is known to represent the site uses this type of technology
  • Browser settings – The user can control which sites allow/disallow the use of cookies

The laws apply to any company that does business through a website in the EU.  Penalties can vary across the EU, but in the UK can be up to £500,000 from the ICO.  This does not of course factor in reputational damage, erosion of customer confidence, adverse media attention and time spent to address any issues that arise.

Why play the waiting game and be caught out?

Some say the ICO’s guidance raises more questions than answers and are awaiting further clarification.  Some are awaiting the implementation of the law and a “test case” to be trialled.  Personally, I wouldn’t want that test case to be my organisation.  Others are being more proactive and just sticking to good ethical, moral and best practices decisions of informing individuals what you will do with their data as early as possible and treating them with respect and decency.  Ask yourself the age old question – if this was my data, what would I want to know?

It is worth briefly noting the difference between notification and consent.  Most Data Protection laws look at being “fair” in that persons are notified of what will happen, but in order to be “lawful” consent is only one of several reasons that an organisation can process their data.  As consent can be withdrawn it is also the weakest of reasons, meaning that organisations often rely on the individual signing up to their practices as a term of service.  If they don’t like it, they go to another company, who will have exactly the same set up.  As a result, the individual never gets fair treatment or consideration of their data.  In the realm of cookies to move from “notification” or “implied consent” to an “explicit consent” model is a remarkable step change in the law.

Online privacy is now a huge issue.  Recent events, such as losses of customer data at Sony’s PlayStation Network, opened the doors to further targeted attacks across its network of global websites.  The Sony share price was damaged severely as a result.  People across the world are increasingly asking themselves the most important question of all – who do I trust with my information?

Surely giving them a choice in how their data is to be used goes a long way to establishing that trust, and ultimately winning customer loyalty to your brand.  This legislation is no threat – it is opportunity.

Download our free White Paper Cyber Security: a Critical Business Risk, which sets out a Five-Step Cyber Security Strategy that every organisation should adopt.