GDPR, PECD and Cookies – Who Is Right?
Possibly and unfortunately, technology tracking and profiling user information is not on a company’s highest of concerns in their struggle to comply with EU GDPR; however, this matter should not be underestimated by any company.
The discussion of cookies, pixel tags, web beacons and the likes fall under GDPR or PECD or both is ravaging and is worth putting some stakes on the ground.
Here is what I’ve learned on this matter summarized in four points, which may help to bring some clarity to the subject.
1) Regulations, Directives
EU GDPR is a “regulation” and PECD (also called “e-privacy directive” or “cookie law”) is a “directive”.
Regulations supersede directives with binding legal force throughout every EU Member State and enter into force on a set date in all the Member States. Directives, instead, lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.
First and foremost the GDPR supersedes PECD as PECD does not provide any definition of consent while GDPR does it very precisely (consent must be unambiguous, a clear affirmative act, silence is not consent…)
According to GDPR, tracking technology should be dropped on a user device after explicit consent and not before; this is not common practice yet.
Given the complexity of the EU legislative process, It is unlikely that PECD will become PECR (from directive to regulation) in less than a year from GDPR enforcement (25 May 2018).
It is also highly possible that PECR will be aligned to GDPR: clearly there is scope for solutions allowing consent opt-in and consent retrieval on tracking technologies by users across all devices platforms.
4) Third parties
Domain owners should audit all tracking technologies on their websites, including third parties ones that expose to the risk of further passing PII over to unknown parties: this is against GDPR regulation. It is therefore important to be able to identify and block any cookie/ tracking technology that can tag and pass PIIs further down the line before clear opt-in consent is given
By the time cookies are being dropped on a domain and even before they are blocked, they often have already released a number of tags; there are several cases where such tags are being piggy-backed by malicious parties to inject malware into IT systems!
Technology is required to process, capture and monitor also any currently unknown future addition of tracking technologies to a domain and to inform about their who, what, why and where: this information is necessary to be compliant and to proof ICO that reasonable effort to be compliant is being made in case of security breaches.
Finally over and above GDPR compliance legal risk, let us not forget that there are also reputation and operational risks related to ignoring the presence of third parties tracking technologies that can bring to loss or damage of sensitive data, revenue, and expose a company to unfair competition!
The Institute of Chartered Accountants in England & Wales (ICAEW) publish a quarterly UK Business Confidence Monitor and Q4 2019...
Find Your Purpose Your Core Purpose should come from a mix of what you love, what you are good at,...
Three resolutions that you can make to improve your business in the New Year by Planning, Formalising, and Reviewing all...