Of course, it is easy to overlook the fact that there are exemptions where the cookie is essential to the operation of the site and the delivery of the “information age service” which the individual is trying to avail of. The oft-cited example here is the need of many on-line shopping basket systems to write cookies to your computer as you move through the sales process to remind the system what it was you were buying and keep your session active so that you can place your order seamlessly (for example if you are moved to a 3rd party site such as PayPal to do the payment bit and then go back to the company site to download a receipt etc.)
So, the cookies Directive boils down to the age old Peter Drucker conundrum: “What is the meaning and purpose of the information?”
In this context then, what is a cookie? The traditional definition is that it is a text file (or a flash local object) written to your computer by a website. However, that answers the technical “what”. We are more interested now in the inforamtional and process “what” aspects of a cookie.
- It is a file
- Containing data, some of which may identify an individual
- That is used for a purpose
So, from a Data Protection and Data Governance perspective, the challenge that is posed by the EU Electronic Privacy Directives for organisations conducting business on-line is to:
- Understand what cookies they are writing as part of their processes
- Understand what data is being written as part of those processes
- Understand how the data in the cookie is actually used as part of that process.
Only when you get to grips with those questions will you be able to understand if the cookie is essential to the delivery of the on-line service that the customer is seeking (in which case consent is not required), and be able to clearly explain the purpose of the cookies that might require consent or identify those cookies that are being written that serve no actual clear purpose. Where consent is required, the organisation that understands the what and how and why of their cookies is in a better position to determine how best to get consent for the cookie. For example, if you are running a membership-based social networking site you may write cookies that store parts of the user login to allow users to access the site without having to login every time – you would improve your compliance if you gave users the option of NOT having that facility. Likewise, where you identify cookies that don’t seem to be serving a purpose then you need to consider whether or not they should be written in the first place given that they expose you to a risk of non-compliance with the Directive.
To achieve all of this, organisations need to
- Map your on-line processes
- Associate cookies with relevant process steps
- Assess the level of personal or potentially personally identifying data written in each cookie.
- Implement a governance framework to ensure that as changes are made to their website that the impact and purpose of any new cookies that are being written is clearly understood and can be shown to serve a clear purpose.
Only by thinking of cookies as another form of information asset that supports you delivering services or generating cashflows and treating them as such will organisations be able to effectively govern their use to ensure compliance with current and emerging Privacy regulations.