The GDPR Classes Cookies as Online Identifiers
The General Data Protection Regulation (GDPR) protects individuals and the information by which they can be identified, directly or indirectly, applying very strict rules for processing data based on consent. Examples of personal data include first and last names, phone numbers, email addresses, vehicle registration plate numbers, social media profiles ID/links, etc. Since cookies can store a wealth of data, they can be considered personal data in certain circumstances, meaning they’re subject to the GDPR. A good example is represented by cookies used to authenticate client requests and maintain session information, which involve the processing of personal data. Website operators need a legal basis to deploy certain types of web technologies.
The PECR And GDPR Go Hand in Hand
The Privacy and Electronic Communications Regulations (PECR) sits alongside the GDPR and imposes specific rules on privacy rights relating to electronic communications. It’s forbidden to send marketing communications without prior permission from the recipients, so it’s a good practice for businesses to keep a list of people who object and refrain from conveying promotional messages. Equally, it’s no longer possible to make the provision of a service dependent on the data subject’s consent. Where the PECR rules apply, they’re regarded as more important than the GDPR, so website operators setting cookies must take into account PECR compliance and then look to the GDPR.
Cookies Pose Risks to Data Security
Cookies are simple text files stored on your device by your web browser. They can’t infect your computer or phone with viruses or other malware, but depending on how they’re used and exposed, they can turn out to be a real security risk. For instance, capturing authentication cookies over insecure channels allows hackers to exploit the situation to steal the credentials to gain illegitimate access. Cookies should only be accessed over secure SSL/TLS channels. Threat actors use the cookies to change passwords and emails associated with other accounts or trick unsuspecting victims into downloading additional malware.
Cookie Litigation Is on The Rise
Websites that operate in the UK are covered by the GDPR, so they must include a warning notifying users that they collect personal data for processing and get consent from visitors before they can store cookies on their devices. There are drastic consequences for not complying with the laws. The GDPR enables individuals to claim compensation from an organisation arguing distress due to the unauthorised use of their personal data. Please don’t hesitate to consult https://www.databreachcompensationexpert.co.uk/data-breach-compensation/ for further information. If the processing of personal data isn’t realised in a fair, lawful, and transparent manner, it breaches Article 5 of the GDPR, triggering a data violation.
More often than not, organisations place non-essential cookies on devices automatically without offering clear information about the purposes of the cookies, thinking there’s no need to have a consent capture mechanism on the website. An ever-increasing number of companies are taken to court (or investigated) under cookie consent rules. Any person who has suffered material or non-material damage due to the unlawful processing of personal biometric and geolocation data can receive compensation for the damage sustained. Simply put, the business is liable for damages. Discomfort or feelings of uneasiness don’t entitle data breach victims to compensation, to be clear.
All things considered, being online can be a frustrating experience. Even if the GDPR requires a Yes/No choice, companies force users to click the “accept” button, thus, violating the law. If your personal data has been involved in a GDPR data breach, compensation may be awarded to you for your losses.