Website tracking is common practice on the world wide web. In all its simplicity, website tracking is about collecting information about your visitors for a variety of purposes, e.g., statistics purposes to improve the user experience on the website or marketing purposes to create more targeted advertising. This is done via cookies.
However, there are rules as to how to go about collecting user data via cookies. The General Data Protection Regulation (GDPR) was enforced on May 25th, 2018. The GDPR is a data privacy law that sets strict regulations for how for-profit and non-profit organizations handle personal data. Keep reading for a short introduction to cookies, website tracking and the GDPR.
Cookies: The perfect technology for spying
Cookies are a type of tracking technology invented in the early 90’s. They are named after fortune cookies because both cookies can be seen as structures containing a message. Cookies enable tracking by being stored on the user’s browser upon their first visit to a website. Once stored, the cookies collect information about the user. When the user returns to the website, the website will then be able to recognize the user and their preferences, thus being able to provide the user the most comfortable viewing experience.
However, cookies are not only used for improving user experience. Most active cookies are statistics and marketing cookies that can track users across domains. In other words, cookies are an essential part of the digital economy.
The information collected via cookies can be anything from seemingly inconspicuous information such as device specifications and preferred language, but it can also be IP address, political convictions, and even sexual orientation.
This, however, doesn’t make cookies an “evil” technology, but concerns could and should be raised over the moral implications of possessing such sensitive information and the damage one can do with it. Which is why the GDPR was created – to protect individuals’ right to privacy and to give individuals control over how their data is used.
GDPR: The great game changer
On May 25th, 2018, the most significant data privacy initiative in 20 years came into effect: The GDPR. The GDPR is an EU-wide regulation that controls how businesses and organizations process personal data. The purpose of the GDPR is to protect individuals from the EU by giving them control over their data and by setting strict requirements on data processing procedures.
In other words, if your website serves individuals from within the borders of the EU, you are obligated to become compliant with the GDPR. This means documenting data flows, ensuring transparency regarding active cookies on your website, ensuring valid consent is obtained before any kind of data processing begins, ensuring appropriate safekeeping of user data, in addition to preparing procedures in case a data breach happens and much, much more.
And as if that wasn’t enough, you are also obligated to ensure that your service partners are compliant with the GDPR as well. Non-compliance with the GDPR can result in large fines of up to €20 million or 4% of your organization’s global yearly turnover – whichever is higher.