In the digital age, personal data protection has turned from an abstract concept into an urgent need. Especially in view of the implementation of the General Data Protection Regulation (GDPR), which has set strict rules for business. Failure to comply with these rules can lead to serious consequences, including significant fines and irreparable damage to reputation.
Section 1: Cookies in the crosshairs of the GDPR
It may seem like a harmless cookie that stores your shopping cart settings in an online store and a serious document like the GDPR for Business have in common? In fact, the connection is direct and very important for every website owner to understand. After all, as you know, ignorance of the law does not exempt from liability.
1.1. What is the GDPR and to whom does it apply?
GDPR for businesses that work with EU citizens is not just a fashion trend, but a harsh reality. This regulation, which came into force in May 2018, aims to protect the personal data of EU citizens regardless of their location or place of data processing.
Who exactly does the GDPR apply to?
In essence, the regulations apply to:
- Companies that process data of EU citizens, regardless of whether they are located in the EU or not. That is, if your website is visited by users from Europe, you automatically fall under the GDPR.
- Any personal data that can be used to identify a person: name, email address, IP address, location data, online identifiers (cookies), etc.
The main provisions of the GDPR:
- Lawfulness, fairness and transparency: data processing must be carried out lawfully, fairly and transparently for the data subject.
- Purpose Limitations: data may only be collected for clearly defined and legitimate purposes.
- Data Minimisation: only the data that is necessary to achieve the stated goal should be collected.
- Accuracy: measures should be taken to ensure that the data is accurate and up-to-date.
- Storage limitations: data should not be stored for longer than necessary to achieve the purpose of processing.
- Integrity and confidentiality: measures must be taken to protect data from unauthorised access, processing, destruction, loss or damage.
It is important to understand that the GDPR does not prohibit the collection and processing of data, but sets clear rules of the game. Compliance with these rules is the key to the security of your business and the trust of your customers.
1.2. What data is collected by cookies and why is it important for the GDPR?
Cookies are small text files that are stored on a user’s computer or mobile device by a website. They are used for a variety of purposes, some of which are fairly innocuous and some of which may raise privacy concerns.
What data can be collected through cookies?
- Session data: information about the current user session on the site (for example, items in the shopping cart).
- Site Settings: language, region, font size and other settings that the user has chosen for the convenience of using the site.
- Analytical data: information about how users interact with the site, which pages they view, where they came from, which browser they use.
- Advertising data: information about the user’s interests based on their behaviour on the site and other sites, which allows you to show them relevant ads.
Why is this important for the GDPR?
The GDPR considers some types of data collected by cookies to be personal data, even if they do not contain explicit identifying information. For example, an IP address or unique device identifier can be used to identify a user in combination with other data.
Therefore, according to the GDPR, websites are obliged to:
- Inform users about the use of cookies and obtain their consent to the collection and processing of personal data.
- Provide users with the ability to manage cookies, including rejecting their use (except for those that are critical to the operation of the site).
- Ensure the security of the collected data and protect it from unauthorised access.
Failure to comply with these requirements can result in severe fines and other sanctions from regulators. Therefore, it is important to understand what data is collected on your website through cookies and take the necessary steps to ensure GDPR compliance.
Section 2: Lawful methods of data collection
Knowing that the GDPR’s watchful eye is not asleep and any cookie can be a stumbling block, a logical question arises: how can you collect user data without breaking the law? The answer is simple – to act exclusively in the legal field, using consent to the processing of personal data as your shield and sword.
2.1. Mandatory elements of the Cookie policy
A cookie policy is not just a formality, but an important document that is the key to GDPR compliance in the context of using cookies. It should be clear, accessible and, most importantly, comply with all legal requirements.
What elements should be included in a cookie policy?
Information about the types of cookies used on the website. It is important to clearly indicate what types of cookies are used (e.g. session, persistent, first-party, third-party), as well as their purpose – for analytics, advertising, improving the functionality of the website, etc.
The data collected by cookies and the purposes of their processing. You should explain what information is collected by cookies (e.g. IP address, browser type, pages viewed) and how this information is used – to personalise content, display targeted advertising, analyse user behaviour, etc.
Information about third parties that may have access to the data collected through cookies. If your website uses third-party cookies (e.g. Google Analytics, Facebook Pixel), it is important to indicate this in the cookie policy and provide a link to the privacy policy of these services.
The ability of users to manage cookies. The GDPR gives users the right to control cookies. It is important to provide them with the opportunity to refuse the collection of data using cookies (for example, through browser settings or a special tool on the website).
Accessibility and comprehensibility. The cookie policy should be written in plain and understandable language that is accessible to the average user. It should be placed in a prominent place on the website (for example, in the footer) and easily accessible from any page.
Regular updates. The legality and relevance of a cookie policy is a dynamic process, not a one-time action. It is important to regularly review and update it to take into account changes in legislation, as well as changes in the types of cookies used on the website.
Compliance with these requirements will help you avoid misunderstandings from users and regulators, and build trust in your brand.
2.2. How to obtain valid consent to data processing
Consent to the processing of personal data is the cornerstone of the GDPR. Without it, you are not allowed to collect, process, or use any information relating to your website users from the European Union. But how do you obtain this consent so that it is valid in the eyes of the law?
Types of consent:
- Explicit consent: This is a direct, clear and unambiguous confirmation by the user of their consent to the processing of their data. It can be obtained by:
- Active action: for example, checking the box “I agree to the Cookie Policy” or clicking the button “Accept Cookies.”
- Written statement: for example, signing a contract containing a clause on consent to data processing.
- Implied consent: this type of consent is more passive and based on the user’s activity. However, the GDPR sets clear requirements for obtaining implied consent, namely:
- The user’s action should be unambiguous and informed. For example, continuing to use the site after a clear and understandable notice of cookie use may be considered as implicit consent.
- The user must be given the opportunity to withdraw their consent at any time.
Practical tips for obtaining consent:
- Clear and simple: cookie and data collection information should be presented in simple and clear language, without legalese or complex wording.
- Transparency: users should clearly understand what data is being collected, for what purpose, and how it will be used.
- Voluntariness: the user’s consent must be truly voluntary. It is not allowed to use pressure tactics or manipulations to obtain consent.
- Documentation: it is important to keep records of consent from users to prove its legitimacy if necessary.
Following these recommendations will help you obtain valid consent to the processing of personal data from your website users and avoid potential problems with the GDPR.
Section 3: Risk mitigation and liability
Despite all efforts, the thought of GDPR fines can be terrifying for any business that works with personal data. And for good reason: non-compliance with the regulations can lead to serious financial losses and irreparable damage to reputation. How can you protect your business and sleep well knowing that you have done everything possible to protect personal data on your website?
3.1 What are the penalties for violating the GDPR?
The GDPR is not joking when it comes to personal data protection. The Regulation provides for GDPR fines for violations that can reach millions of euros and deal a devastating blow even to large businesses.
What kind of sanctions can be applied?
- Administrative fines: This is the most common type of sanction, the amount of which depends on the severity of the violation and can be as high as
- Up to €10 million or 2% of annual global turnover(whichever is greater) for less serious breaches, such as failure to comply with data processing principles, lack of lawful basis for processing or failure to inform users properly.
- Up to €20 million or 4% of annual global turnover(whichever is greater) for more serious breaches, such as processing data without the data subject’s consent, transferring data to countries that do not provide an adequate level of data protection, or failing to comply with data protection requirements.
- Other sanctions: In addition to fines, regulatory authorities have the right to impose other sanctions, including:
- Issuing orders to eliminate violations;
- Restriction or prohibition of data processing;
- Obligation to notify data subjects of a breach;
- Suspension of the company’s operations.
In addition to financial losses, GDPR violations can lead to:
- Reputational losses: information about the leakage or misuse of personal data can seriously damage a company’s reputation and undermine customer confidence.
- Legal action: data subjects whose rights have been violated have the right to take legal action to claim compensation for the damage caused.
Given all of the above, it is clear that GDPR compliance is not just a legal formality, but a strategically important task for any business that works with personal data.
3.2. How to protect user data and avoid GDPR issues?
Knowing what troubles can befall a business that neglects the GDPR, it is important to develop an effective data protection strategy. Here are some practical recommendations to help you avoid problems and keep your business running smoothly:
Technical measures:
- Ensure the security of your website: use HTTPS, regularly update software, set strong passwords and protect against unauthorised access.
- Encrypt sensitive data: encryption makes data incomprehensible to attackers, even if they manage to access it.
- Back up your data regularly: this will help you recover information in case of leakage or loss.
- Minimise the amount of data you store: don’t collect or store data you don’t need to achieve your stated goals.
Organisational measures:
- Develop and implement a privacy policy: clearly define the rules for collecting, processing, storing, and using personal data.
- Awareness of GDPR requirements: train staff who have access to personal data.
- Get explicit consent to data processing: use clear and understandable consent forms that do not contain small print or hidden conditions.
- Give users the ability to manage their data: give them the ability to view, correct or delete their data, and withdraw their consent to its processing.
Cooperation with contractors:
- Contract with data processors: make sure your contractors (e.g. hosting providers, email services) are also GDPR-compliant.
- Control the activities of contractors: regularly check how your contractors process personal data.
Maintaining documentation:
- Keep a record of data processing operations:Fix what data you collect, for what purpose, on what basis, to whom you transfer it, etc.
- Document consent to data processing:Keep records of when and how users gave you their consent.
Remember that personal data protection is an ongoing process that requires constant attention and improvement.
Important! This information is provided for informational purposes only and does not constitute legal advice. If you have any questions about the application of the GDPR to your business, please contact a qualified legal professional.
Conclusion
In today’s digital world, where personal data has become more valuable than gold, protecting personal data on a website is not just a to-do list, but a matter of business survival. GDPR, despite its complexity, provides clear guidelines on the way to secure user interaction.
Don’t risk your business and reputation. Contact Polikarpov Law Firm, and we will help you develop a comprehensive data protection strategy that meets all legal requirements and provides you with peace of mind and confidence in the future.
Do I have to comply with the GDPR if my business is not located in the EU, but my website is visited by users from Europe
Yes, it is. GDPR has extraterritorial in nature, which means that it applies not only to companies located in the EU, but also to those that process personal data of EU citizens; regardless of their location.
Thus, if your website is accessible to users from Europe and you collect their personal data (even if your business is physically located in Ukraine or any other country in the world), you are obliged to comply with the GDPR.
This applies to any personal data:
-
Name, address, email address: if the user provides them during registration, filling out a feedback form, etc.
-
IP address, location data, online identifiers (cookies)
Ignoring the GDPR can lead to serious consequences:
-
Fines: up to EUR 20 million or 4% of annual global turnover.
-
Reputational risks: loss of customer confidence, negative reviews, deterioration of the brand image.
-
Legal actions: from users whose rights have been violated.
Recommendation: Don’t take any chances. Ensure that your website is GDPR compliant, no matter where you are. This is an investment in the security of your business and the trust of your customers.
I use Google Analytics on my website. Does this mean that I collect personal data through cookies, and do I need to obtain user consent
Yes, using Google Analytics on your website usually means collecting personal data via cookies, and you do need to get consent from EU users for this.
Why are Google Analytics and cookies related to personal data?
Google Analytics uses cookies to track user behaviour on a website: which pages they visit, how long they spend on each page, where they come from, etc. While this data may seem anonymous at first glance, the GDPR treats some of it as personal, as it can be used to identify a user when combined with other information.
For example:
-
IP address: Google Analytics can collect users’ IP addresses, which is already considered personal data.
-
Unique identifiers: Google Analytics assigns a unique identifier to each user, which is stored in a cookie and used to track their activities on the website. This identifier can also be considered personal data.
What do I need to do to use Google Analytics in compliance with the GDPR?
-
Get cookie consent:
-
Place a clear and understandable cookie notice on your website, explaining what data is collected, for what purpose, and how the user can manage cookies.
-
Use a GDPR-compliant consent mechanism, such as a pop-up window with a choice of the type of cookies the user allows to be used.
-
-
Configure Google Analytics to anonymise IP addresses:
-
Activate the IP anonymisation feature in Google Analytics. This will cause Google Analytics to use only a part of the IP address to determine the geographical location of the user, making it difficult to identify them.
-
-
Update your privacy policy:
-
Include in your privacy policy information about the use of Google Analytics, the types of data collected, and how users can manage their data.
-
Remember that Google Analytics is just one of the tools that can collect personal data through cookies. It is important to analyse all the services and tools you use on your website and make sure that you obtain users’ consent to collect and process their data in accordance with the GDPR.
What are the implications for my business if I ignore the GDPR's cookie requirements
Ignoring the GDPR’s cookie requirements can have serious negative consequences for your business, both in the short and long term.
Here are some of them:
Financial:
-
High fines: The GDPR provides for fines of up to €20 million or 4% of a company’s annual global turnover(whichever is greater) for serious breaches, which include the unlawful collection and processing of personal data through cookies..
-
Legal Expenses: Users whose rights have been violated have the right to sue for damages.
-
Loss of funding: some investors and partners may refuse to cooperate with companies that do not comply with the GDPR.
Reputational:
-
Damage to brand image: Information about GDPR violations can spread quickly online and in the media, negatively impacting your company’s reputation and brand trust.
-
Loss of customers: users concerned about their data privacy may stop using your site and services if they find out about GDPR violations.
-
Negative reviews and comments: users can leave negative feedback about your company on review sites, social media, etc.
Others:
-
Data processing ban: regulators may prohibit you from collecting and processing personal data of EU citizens, which may result in the suspension of your website or even your business as a whole.
-
Regulatory inspections: your company may become the subject of close attention from regulatory authorities, which will entail additional costs for legal advice and support.
It is important to understand: that even if your business is not located in the EU, you are still obliged to comply with the GDPR if you process the personal data of EU citizens. Don’t underestimate the importance of GDPR and risk the future of your business.
What are the "lawful grounds for processing personal data" and how can I make sure that I collect user data legally?
Lawful basis for processing personal data” are the conditions clearly defined by the GDPR under which you are allowed to collect, store and use personal data from EU users.
The GDPR defines six main legal grounds:
-
Consent: the user has freely and explicitly agreed to the processing of their data for a specific purpose.
-
Important: consent must be informed, specific, unambiguous and freely given. It is unacceptable to use pre-set checkboxes or to impose consent as a condition of using the service.
-
-
Contract: the processing is necessary for the performance of a contract to which the data subject is a party or for taking measures at the request of the data subject prior to the conclusion of the contract.
-
For example: processing data for the delivery of goods ordered in an online store.
-
-
Legal obligation: The processing is necessary for the performance of a legal obligation imposed on the data controller.
-
For example: accounting, tax reporting.
-
-
Protection of vital interests: processing is necessary to protect the vital interests of the data subject or another natural person.
-
For example: processing medical data for emergency medical care.
-
-
Public interest: the processing is necessary for the performance of a task carried out in the public interest or in connection with the exercise of public authority vested in the data controller.
-
For example: processing data for fraud prevention, for scientific research.
-
-
Legitimate interests: the processing is necessary for the legitimate interests of the data controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.
-
For example: video surveillance to ensure security at facilities, analysis of website traffic data to improve it.
-
Important: when using this ground, a balance of interests test should be performed to ensure that the rights and interests of users are not violated.
-
How do you make sure you collect data legally?
-
Define the purpose of the data collection: why do you need this data? What specific business processes will you run with it?
-
Select the appropriate legal basis: which of the six grounds best suits your purpose and circumstances?
-
Be transparent: tell users what data you collect, for what purpose, on what basis, how long you will keep it, and to whom you may share it.
-
Get consent: If you are using consent as a legal basis, make sure it meets all the requirements of the GDPR.
-
Maintain documentation: write down what data you collect, on what basis, when and how you obtained consent, etc. This will help you prove the legitimacy of your actions in the event of an audit.
Remember: the lawfulness of data processing is one of the key principles of the GDPR.
How often do I need to update my website's cookie policy to be GDPR compliant
There is no explicit GDPR deadline for updating a cookie policy. However, it’s important to understand that the GDPR requires that your cookie policy is always up-to-date and reflects the reality of your website.
Here are a few situations when you should update your cookie policy:
-
Changes in legislation: If there are any changes to the GDPR or other laws relating to the protection of personal data, you will need to make the appropriate adjustments to your cookie policy.
-
Changes in cookie use: If you start using new types of cookies, change the purpose of their use, or add new third-party services that use cookies, you will need to update your cookie policy to reflect these changes.
-
Changing the data processor: if you have started to cooperate with a new analytics service provider, advertising network or other service that will process personal data of your website users, you need to inform about it in the cookie policy.
-
Recieving complaints: If you receive complaints from users or regulators about your cookie policy, you should review it and make any necessary changes.
Recommendations for updating:
-
Regular review: It is recommended that you review and update your cookie policy at leastonce a year..
-
Monitoring changes: Follow the news and updates on GDPR and data protection legislation to stay up to date with the latest changes.
-
Legal advice: If you are in any doubt about the relevance of your cookie policy or the need to update it, please seek advice from a lawyer specialising in GDPR.
Remember: an up-to-date and transparent cookie policy is not just a legal requirement, but also a show of respect for your users and concern for their privacy.