Cookies are small files that are temporarily stored inside a user’s computer. They are designed to store data that is connected to a particular user or a website, along with enabling certain functions on the website. For more information check our article on the subject matter.
There are different types of cookies, with different purposes. Some are purely for the running of the website, and without them, the website would not function. Then there are analytics and marketing cookies, which are a bit more invasive and are designed to track user behaviour and collect data.
In contrast to general consent, this form of consent is where the user will alter their preferences as to what cookies they will consent to being used, such as being able to disable analytics and tracking cookies, while leaving the essential cookies running.
Cookie consent is governed by the ePrivacy Directive (2002/58/EC) at the EU level, with it being implemented by the member states in different forms. It was implemented in the UK under the Privacy and Electronic Communications Regulations 2003 (PECR). Under regulation 6, it sets out that there needs to be a disclosure of relevant information along with providing the user with an opportunity to refuse the storage or access of data.
Alongside PECR, there are the requirements for consent under Art. 7 of the GDPR to take into account, under this provision to consent to the processing of personal data and information, the data subject must be informed, then the consent must be freely given and separate from any agreement to the terms and conditions of service.
In the USA, the data protection and privacy laws are not exactly cohesive. One law to focus on however is the California Consumer Privacy Act (CCPA) which was recently passed. Under the CCPA, there is a requirement to provide the user with the ability to opt-out of their information being collected and sold, along with disclosure requirements relating to the use and purpose of the information that will be collected. This opt-out is also required to be offered to users at the first opportunity through a button on the website in accordance with $1798.102 of the California Civil Code, which was introduced under the CCPA. Cookies however are not necessarily dealt with under the CCPA, leaving the consent requirements for cookies uncertain.
Privacy in the US, is regulated at the Federal level by the Federal Trade Commission (FTC), who are responsible for the enforcement of privacy and security online. The rules enforced by the FTC however are an extremely light touch in relation to cookies and the tracking. Though following the passing of the CCPA, there has been quite a few developments at the state level, with various states currently going through the process of passing Data Protection and Privacy Laws.
In Nevada, Senate Bill 220 was passed which implemented new rules regarding privacy on the Internet. Under Section 2 of the Act, they have established that companies that will be processing data need to provide consumers with the ability opt-out of the processing and sale of their data. However, in contrast to the CCPA, they are not required to place an opt-out button at the first opportunity.
The other US State to have passed legislation on the matter of Privacy Online was Maine, under Section 3 of their Act, they establish that for the processing and sale of a consumer’s data, that a customer should be able to refuse consent for data being processed and not be refused service.
Though like the Californian Act, these positions are not necessarily clear as to how they apply to cookies. It is recommended that the best practice for the US should be providing upfront information regarding their use and the ability to opt-out of cookies at this first opportunity.
Privacy online in Australia is governed under the Privacy Act 1988, which established the Australian Privacy Principles (APP). Under these principles, there is a requirement to disclose information regarding the purpose of the processing of data, along with the requirement to obtain consent from the data subject. However, this would seem to be a general requirement for the processing of personal data, the Information Commission provides slightly different guidance on its application to cookies, indicating that it may not necessarily be required if the cookies are not collecting personal data.
The duration of the validity of consent, is something that has not been clearly set out under the law.
As there are differing positions held by different regulatory bodies as to the duration of the cookies. The guidelines provided by CNIL is that analytic cookies cannot exceed 13 months and information collected through trackers can only be kept for a maximum of 25 months, while all others are not subject to these requirements. The ICO’s guidance on this, is that the duration of the cookies must be proportionate in relation to achieving their purpose.
While the more general rule is that it will be valid until consent is withdrawn, or there has been a dramatic change in the purpose that invalidates the original consent. On this basis, the validity of the consent is uncertain for prolonged periods of time, however with our tools you can have it set to have the consent reviewed over a period of your choice.
Much like the answer to the question regarding the duration for the validity of consent, it is not necessarily clear. Depending on how information relating to cookies is set out in the policy, will impact the answer to what would be the best practice. If you are merely providing a general list of cookie Categories that are being used and not actively scanning the cookies, updating the policy will only be required when a new type of cookie is being used that doesn’t fall into any of the categories that have been listed in order to provide adequate information to satisfy the transparency requirements.
However, if there is table, which contains information on the individual cookies that are being used, updating the information would have to be done every time a new cookie is added requiring regular scans of the website.
In relation to the storage, collection and processing of data via apps on mobile devices, there is a degree of uncertainty as to whether the same rules of disclosure and consent apply. Under the guidance from the ICO, there is a belief that the rules would apply and that they would have to provide all details and information regarding the data that would be collected, and options to enable the user control over the level of privacy.
This can lead to some confusion, in what would constitute standard practice, let alone what should be the best practice. To ensure compliance in as many jurisdictions as possible, the highest bar should be the one that is adhered to. The best practice is as follows: when a user arrives on the website, they should be greeted with a pop-over that explains that cookies are being used for various purposes, along with a link to the in-depth policy. This will be followed by providing three options to the user, to accept, reject or edit preferences regarding the cookies. Also, when selecting preferences, all boxes should be unticked, as Opt-in should be considered the standard. This might seem complicated, however implementing the best practice has never been easier with the cookie consent tools provided by Seers.
Article 4 of the General Data Protection Regulation GDPR has outlined the roles of a “data controller” and “data processors”.
Data Controller: “a natural or legal person, public authority, agency, or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data.”
Data processor: “A person who processes personal data on behalf of the controller.”
For example, A website collects personal data (any type) from visitors and customers for marketing and sales purposes. Then, the collected data is sent to Marketing and Promotions, for email marketing, SEO and social media campaigns.
If you are providing the data and its instructions, then Marketing and Promotions Ltd is a data processor, and you are the data controller. But, if you give the data and leave Marketing and Promotions Ltd to process, then you are both data controllers, and Marketing and Promotions Ltd is also the processor.
Data controllers and processors, under GDPR, have quite similar duties and must adhere to the same principles.
The formal definition of a processor is mentioned in GDPR’s Article 4. It says,
“Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
The data processors help controllers in many consequences such as, in a potential personal data breach notification and Data Protection Impact Assessment. The record of all the processing activities must be kept by data processors, which is carried on behalf of the controller, as required by Article 30 of GDPR.
Because it plays a crucial part in ensuring data privacy, it has been proved many times, that 37% of the data breaches were the result of a human error. It is another effective way to be compliant and dodge GDPR fines.
Despite being an essential aspect under GDPR, staff training is still under-emphasized. Companies are ready to revamp their whole security network and improving their information security and cookie consent laws. But are paying very little attention to the most vulnerable side, in which there are endless possibilities to make a minor mistake. Staff training is a fundamental requirement to ensure compliance with GDPR.
Companies must know how to meet the challenges of GDPR. They must aware their staff with the rules and regulations and use e-Learning methods for training. The cornerstone of the awareness training must be privacy. The focus should be on, personal data protection to show respect towards people’s rights.
The obligations, rights, responsibilities and penalties under GDPR must be focused and taught in-depth to the employees. You must explain to them the importance GDPR places on the protection of personal data. They should know the core principles of privacy by the end of GDPR and how to integrate the behaviours based on those principles in their everyday work routine.
Some companies have well-trained employees for GDPR and often conduct staff training programs. It does not mean continuous or you have to manage a training session for employees every other day. The hiring and firing process is constant for companies. But you must know the best time to fulfil the training requirement in your company.
It should be offered, when you find out there are any knowledge gaps in your workplace, also when you install any new equipment, and lastly when Regulatory bodies alter any of the regulatory framework or provide new guidance.
Your staff must know the basic definitions under GDPR, such as the main responsibilities of Data Processors, what is considered personal data, and what data would be considered highly sensitive. In addition to this, they are required to have a good understanding of the following:
1) Data transfer and disclosure: Keep an eye on personal data transfer.
2) Data Protection Impact Assessments (DPIAs): DPIAs for organizations involved in high-risk processing.
3) Legitimate Interests Assessments (LIAs): LIAs is just a best practice developed mainly by privacy specialists.
4) Data Protection Officers: The GDPR will require some organizations to designate a Data Protection Officer (DPO).
5) Processing Children’s Data: from underage subjects, you must ensure that you have adequate systems.
Yes, you can. The GDPR is explicit on this point. In many ways, it is the best solution because it guarantees independence, you can rely on subject matter knowledge being the best, and it is very cost-effective.
Yes, you can. However, you must be careful that there are no conflicts of interest. For example, the IT Director would not be the best person to take an objective view of system security, and the Marketing Director will be under pressure to create new methods of communication. Also, it is Murphy's law that if the Marketing Director is the DPO, then the data breach will be six weeks before Christmas when his focus is on maximising sales over this period, or if it's the Finance Director the problem will happen just as the financial auditors walk through the door.
No. It is all about the amount of data you process, the type of data you process, or how often you process personal data.
Every organisation, including sole proprietorships, is required to hire at least one person, as a Data Protection Officer, who is responsible for making sure that the organisation complies with the Data Protection Act.
Organisations must ensure that at least a single DPO's business contact information is available to the public. It can be a general telephone or email address of the organisation.
The DPO can be someone whose work scope entirely relates to data protection. It can also be a person in the organisation who can take multiple responsibilities and fulfil them wisely. Compliance from an organisation with the DPA remains the responsibility of the organisation notwithstanding the appointment of the data protection officer.
An organisation stands liable for even a single piece of personal data in its possession. This is related not only to employees' data but personal data of other people such as clients or shareholders. The DPA needs an organisation to hire an individual to be responsible for ensuring compliance with the DPA.
Your Company will be responsible for assuring compliance with the DPA as far as it is kept on collecting, using and disclosing personal data, or has personal data in its possession or control.
When the online submission is successful, they will send an acknowledgement email on the provided email address. If you don't receive the acknowledgement email, do check your spam folder.
The does not make it obligatory to inform the ICO of your DPO's details. This will assist DPOs to keep abreast of relevant personal data protection developments.
No, it does not include any fee to register a DPO.
No, there is no need for a company undergoing liquidation to register a DPO.
A dormant company with no business operations need not register its DPO.
The provisions of the DPA came into force on 2 July 2014 and required organisations to designate at least one individuals to be accountable for ensuring compliance with the DPA. If your Company is handling personal data, you should appoint at least one individual as the DPO.
GDPR says you have to appoint a DPO if:
This is applicable for both controllers and processors. You can appoint a DPO on your wish, even if it is not required to. If you decide to appoint a DPO voluntarily, you must know that the same requirements of that position and tasks apply makes the appointment compulsory.
No matter GDPR makes it essential for you to appoint a DPO, you have to assure that your Company possesses sufficient staff with resources to exempt you from GDPR obligations. Further, a DPO helps organisations to operate within the law. He advises and helps companies to monitor their compliance level. In this way, a DPO plays a crucial job in your organisation's data protection governance structure by helping accountability.
If you are not planning to hire a DPO, neither voluntarily nor because you don't meet the criteria, that would be a good idea to record this decision to help demonstrate compliance with the accountability principle.
The GDPR says yes for that, but further tasks and duties, must not result in a conflict of interests with the DPO's core responsibilities.
You can externally contract out the role of DPO. It must be based on a service contract with an organisation or an individual. It's essential to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
You must ensure that:
This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn't mean the DPO has to be line managed at this level, but they must have direct access to advising senior managers who are making decisions about personal data processing.
The GDPR requires you to:
There is no need to include the DPO's name while publishing his contact details. However, you can select to provide this if it's necessary or helpful for you.
In the following circumstances you ought to provide your DPO's contact details in these circumstances:
Many organisations take outsourcing as a more cost-effective rather hiring in-house or a full-time DPO. Many organisations do not have anyone with the required expert knowledge of UK and EU data protection law and practices, which is sufficiently independent of decision making within the organisation. Avoiding such internal conflicts of interest is an essential requirement of GDPR.
Article 39 of GDPR contains an inventory of the minimum tasks must be fulfilled by the Data Protection Officer. The primary task is to monitor the level of compliance of an organisation in accordance with the law and regulatory requirements. Fundamentally, the DPO informs and advises the Data Controller, Processor and Board on data protection issues which include the protection of personal data, assignment of responsibilities, awareness-raising and training of staff.
Not personally but, the DPO is responsible for advising the data controller and processor on how to ensure that their organisations achieve compliance.
GDPR states that the following requires a DPO:
The DPO must report to the higher management and have access to the Board to make recommendations.
Yes, as long as it is processing personal data of EU citizens and its Company requires a DPO following GDPR (Article 37).
Yes, if your data subjects belong to the EU and as directed in GDPR (Article 3).
The DPO can be an existing employee; however, it can also be shared jointly amid organisations. However, according to a requirement, the DPO have to be independent that is to avoid conflicts of interest or even when a full-time DPO is not required, outsourcing the DPO function is a cost-effective option.
A Data Protection Impact Assessment is a way to analyse data processing systematically and comprehensively. It helps an organisation to identify any risks in relation to data processing and the actions that need to be taken in order to mitigate that risk.
The Privacy Impact Assessment (PIA) is a standard process used by privacy teams to accomplish privacy by design. Companies conduct PIA when they want to evaluate competitive advantage, product value and cost-effectiveness in design. PIAs identify and reduce organisational privacy risks. When either a new business process gets implemented, a new company is acquired, or a new process gets launched, a company should conduct a PIA.
However, The Data Privacy Impact Assessment (DPIA) is used when a company tries to find and mitigate personal data processing risks. An advantage of DPIA is, it renders clear and registered evidence that a certain organisation has evaluated the risk of its certain processing activities and reduced the risks accordingly to align with the requirements of the regulation.
The documentation can be provided to the Federal and Regional Data Protection Authorities (DPAs) if they require it.
A DPIA must be carried out when processing starts to result in high risks to the rights and freedom of individuals. Below are the expected cases in which DPIA must be conducted.
National Data Protection Authorities and the European Data Protection Board provides the list of cases when DPIA has to be conducted. Its conduction must go prior to the processing and should not be considered as a one-off exercise but as a living pool. A DPA ought to be consulted before the processing. Lastly, the residual risks can be reduced by putting adequate measures in place.
The Data Protection Impact Assessments are important, as the company carrying out the assessment will get a full picture of the data they hold for certain purposes and establish a record of the data and processing being carried out. This then allows them to evaluate any weaknesses that may exist in relation to those processes that could be deemed high risk, and in doing so determine the strategies for rectifying those weaknesses and mitigate any risk. Along with outlining any systemic improvements that can be made to the organisation to improve overall compliance with the requirements under the law.
DPIA must be carried out by an individual or people leading on the project. Besides, a Data Protection Officer (DPO) should also be included along with information security staff or any processor.
The DPIA should cover the below mentioned key points.
Under the guidance for DPIA’s the general opinion seems to be that a DPIA is not needed for processing operations that have been in place prior to the implementation date of the GDPR if they have been checked by the national regulator, and so long as the operation is performed in the same way.
However if any of those operations have changed in scope and are likely to result in high risk than a DPIA should be conducted. Though for the sake of best practice, it would be a good idea to carry out DPIA’s for activities regarding highly sensitive data to ensure that the risk is minimised.
There are multiple benefits of DPIA. Although, by the conduction of a DPIA, you will be able to enhance and improve the awareness within your organisation pertaining to the data protection risks associated with your project. It also supports your project’s design and speeds up your communication regarding data privacy risks with the relevant stakeholders. It also helps demonstrate your organisation’s compliance with GDPR and avoid any sanctions.
Consultation with the national regulatory authority is not always necessary following the completion of a DPIA, so long as measures to mitigate the risks to personal data have been identified and taken. However if the DPIA indicates that risks cannot be managed and remain high, then the national regulator should be consulted before moving on with the project.
Regardless of whether such a consultation is needed, there are obligations to retain the DPIA and update it, as it may be reviewed by the national regulator in an audit or investigation arising from the use of the personal data.
Under GDPR, publishing DPIA is not a requirement. But, by demonstrating your compliance with the regulations, publications can help you raise trust and confidence. Therefore, it is recommended to publish you DPIAs if possible.
Also the published DPIA doesn’t need to be the entire assessment, especially when it could present information concerning security risks or sensitive commercial information. The Data Protection Commission for Ireland, recommends that when publishing information relating to the DPIA, a summary will suffice.
First-party cookies are issued by a website that a user views directly. So if a user lands on a website –
for example, seerco.com – then this site creates a cookie which is then saved on the user’s
On the other hand, third-party cookies are not created by the website being visited, but rather by
someone else. What does this mean in practice? Let’s say you’re visiting seersco.com, and that site
has a YouTube video on one of its pages. In this case, YouTube will set a cookie which is then saved
on your computer.
If a cookie does not contain an expiration date, it is considered a session cookie. Session cookies are stored in memory and never written to disk, When the browser closes, the cookie is permanently lost from this point on. If the cookie contains an expiration date, it is considered a persistent cookie.
You can set up as often as you want. We recommend 30 days as best practice.
The use and regulation of cookies apply if the data collected is anonymous or not (the creation of anonymous information may involve the processing of personal data – for example, to generate aggregate statistics based on user interaction, in which case it is covered by GDPR). If the data is not anonymous then a Data Protection Impact Assessment (DPIA) needs to be completed.
An EU Representative for data protection is a person or organisation appointed to act on behalf of an organisation. It is a role defined under the General Data Protection Regulation (GDPR), Article 27; which sets out that they serve as the first point of contact for EU Data Subjects and Regulators.
Under the most basic arrangements, they will liaise with the organisation that has appointed them, forwarding any complaints and responses between the parties. The appointment of a representative also will enable an organisation to comply with the requirements for international transfers, mainly establishing means that enable Data Subjects to enforce their rights.
Under the current guidance from the European Data Protection Board (EDPB), it is not deemed to be compatible with the role. As under GDPR, Data protection officers are required to be given autonomy within an organisation, which is in conflict with the EU Representative as they are required to act in accordance with the mandate outlining their appointment.
You will need to appoint an EU Representative if you are an organisation outside of the European Economic Area (EEA) and are processing the data of European Data subjects outside of the EU. This might either be through the course of your own business activities or when processing the data on behalf of another party and thus is part of your obligations to provide data subjects with the ability to enforce their rights.
Though under GDPR Art. 27, exceptions can be made if the organisation falls under one of two categories. If they are not regularly processing EEA Citizen data on a large scale, or if they are a public authority or organisation, then they will not be under any obligation to appoint a representative.
If you are a company based in a country in which the EU has deemed adequate in terms of its data protection safeguards, such as Argentina, Canada, Israel Andorra, Faeroe Islands, Guernsey, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay, then the transfer of data is permitted without the requirements for extra safeguards in place, such as binding corporate rules, or contracts that establish protections for Data Subjects. But this does not remove the need for a representative, if they lack a presence in the EU or EEA, they will be required to have a representative in accordance with Art 27.
Under Art. 27, which establishes the legal foundation for this role, it also outlines how a representative is to be appointed. They are to be appointed in writing, which will also set out the scope of their mandate. This will at minimum enable them to be the first point of contact for any European complaints. The appointment of a representative, will not absolve the organisation of any liability in relation to their own obligations.
Under Art. 27, it states that representatives need to be based in the member states where the organisation is offering goods and services, that requires the processing of personal data. However, under the guidance from the EDPB, it is stated that if goods and services are being offered in multiple EEA Countries, they will only need to appoint one representative so long as it is in one of the Countries they are offering goods and services in.
California Consumer Privacy Act (CCPA), has created data protection and privacy framework for companies to adhere to when conducting business in California. The main focus of the Act is to protect the data of consumers in California, rather than protecting the overall privacy across the US.
The CCPA sets out various rights and obligations in regards to the collection, and use of the data. Some of those are similar to that of the General Data Protection Regulation; however, in some areas, it is a much lighter touch. Though this might be subject to change dependent on the Attorney General’s recommendations and regulations that add to the rules of using such data, it is advisable however to still update privacy policies in the US, in order to ensure compliance and put into place the procedures and mechanisms to respond to any requests.
Under the CCPA, there is no obligation to appoint someone to advise and assist with the compliance process. However, this doesn’t mean that such an appointment should be ignored, having someone who is in charge of ensuring that the laws are complied with and ensuring that the business is aware of their obligations under the law. And someone to handle and manage the processes in relation to responding to requests from data subjects.
Under the CCPA, there are three key rights that are established for consumers. The first is the right to be informed, which covers being told what data is being collected on them, the purposes that it is being used for, along with informing them of their other rights.
They will also have the right to request that the business disclose what information they hold and the purposes they are using it for and whether they are selling it to third parties.
Consumers also have the right to at any time, opt-out of the sale of their personal information to third parties, which requires the organisation to provide them with a mechanism in order to exercise this right, which is elaborated later in the questions below.
Under the CCPA, there are provisions that set out a right to opt-out for consumers. Under Section 1798.120 of the CCPA sets out that consumers have the right to opt-out of the sale of their personal data.
There is also an additional duty covered later in the CCPA, which relates to the data of consumers who are under age, in which they need to be given the option to opt-in. Which raises a level of complexity when this is being done online, and there are not necessarily accurate ways of verifying a users age, so it arguably is best to provide the opt-out/in the form at the earliest possible opportunity.
Under Section 1798.135, it states that for compliance with the earlier section, they need to provide a clear link on their website titled “Do not sell my personal information” which takes them to a page that enables them to opt-out.
Yes, the concept of the sale of data under the CCPA, is defined fairly broadly. They are covering the disclosure, transfer, and communication of personal information to a third party for monetary or other valuable consideration. To simplify this language and make the situation clearer, if the data is transferred in return for services.
In terms of communication, this can be done electronically, by the provision of physical copies or oral disclosure. Thus if there are cookies that are collecting personal information and sending it to third parties, it could be considered to fall under the sale of data. As marketing, analytics and social media cookies, all provide integration with third-party services that will be making use of the data drawn down for a variety of purposes. It is reasonable to conclude that it S1798.120 of the CCPA does cover third party cookies.
For failing to comply with the CCPA, there are penalties set out under Section 1798.150, in regards to the damages that would be paid out. The amount can vary between $100 and $750, per customer and per incident. This enables the penalty to stack, based on the severity of any breach. Therefore ensuring that the basics are in place, such as policies and understanding the obligations is crucial to avoid this.
The scope of the appointment, which will outline the representative’s duties and obligations, will also require some coordination on other matters. This will require some initial coordination to set up lines of communication and policies for the verification of and Data Subject Requests, and how regulators should be communicated to, along with the requirements to disclose any confidential information that has been requested. By having these arrangements set out at the start, it will enable swift responses to Data Subjects and regulators.
Yes, however, this is also dependent on whether or not you maintain a presence within the EU. If you are just providing goods or services, which requires the processing of EU Citizens’ personal data without having an EU presence, then you will be subject to the obligations under Article 27. However, these obligations will not be immediately imposed on the exit date of the 31st of January.
After the end of the transition period, EU Representatives based in the UK will no longer be able to provide their services for Europe as a whole. As the UK will no longer be part of the EU, this will even be the case if the UK leaves with an agreed deal shaping the future relationship with the EU.
The current approach in the UK, from both the government and ICO, indicates retention of many of the data protection principles in the pursuit of an adequacy decision at the end of the transition process. In light of this approach, the ICO in its guidance on this states that for organisations outside of the UK without a presence will require a Data Protection Representative for the UK and a separate one for the EU.