Cookies. Not the sweet crumbly varieties, but text files containing data that can be stored on your laptop or mobile device. While we may not be familiar with the technical details of what these and other digital tracking mechanisms, we are all familiar with the pop up cookie banners when we visit websites asking us to provide consent for their use. For the majority of people, these cookie pop up banners are an annoyance, preventing us from accessing the services of the website providers.
For data privacy experts, these banners continue to be a source of frustration and since the introduction of the EU GDPR back in 2018, they have come under greater scrutiny.
So why should this be of interest to the risk management community? Surely this is a problem for web developers and the marketing team, the people who look after the company website.
To understand why risk managers should add the topic of cookies to their list of ‘emerging risks’, we need to understand what cookies do.
In simplest terms, a cookie captures information that identifies you and which can then be used to enhance your browsing experience on websites. For example, a cookie may identify your location and be used to ensure that you see the website for the country in which you live or the appropriate language. They can be used to ensure that you can enter your contact details on a page, or for ensuring that your shopping choices are placed into a basket.
Cookies have many different uses though and can be used to track your browsing history or search terms to enable advertising to be targeted. In some cases, this information can then be gathered and sold to advertising companies (for the techies out there, this is called real time bidding). So, if you’ve ever searched for a particular product online and then wondered why you seem to continually receive adverts for the same or similar items that you’ve just searched for, then this is down to the use of cookies.
It’s this later group that poses a risk.
In order to introduce these cookies, the page owner must ask for your consent. And how we provide consent, is determined in law. Consent, must be freely given and as easily removed as it is given. There’s also a requirement for transparency – the website owner must inform you of what they will do the with the data, who they will share it with, where on the globe the data will be stored, how long it will be kept for and how you can remove your consent. Failure to meet these principles is in breaking the law.
For Risk Managers we already know and understand the need to and consequences of not managing data correctly. Recent high profile fines for Amazon and WhatsApp by regulators in Europe prove that. The use, or misuse, of cookies may not be on our radar.
There has been recent action by EU privacy pressure group NOYB.eu [1]to highlight where companies have failed to meet their obligations. An initial 500+ letters of complaint were sent to organisations across Europe who they believed were falling short, leading to 422 formal complaints being sent to regulators last month for organisations.
Closer to home, we’re waiting for the outcome of landmark legal case, Lloyd vs Google[2]. Whilst this a complex case, it has at its heart the principles of transparency and the right of the individual to have control of the data and could signal compensation payments for individuals impacted by this loss. Importantly, an individual does not have to have suffered financial loss to make a claim and it may open the floodgates for further group actions.
Regardless of the outcome from Lloyd, there is the potential for individuals to make claims for compensation if they can evidence that their consent has not been sought and that their right to privacy has been compromised.
In breaking and potentially more positive news, the Information Commissioner – the UK’s data privacy regulator, recognises this challenge of cookies, pop ups and the requirement for businesses to be able to provide website visitors with an experience that will not stifle sales but will support the principles of privacy. She is lobbying the G7 nations [3]to seek consensus on an approach or a set of tools that will end the nightmare of cookie banners. Only time will tell on how successful this initiative is.
In the meantime, as Risk Managers, we should identify the posture of our organisation. Just grab a coffee and a cookie before you start.
Author: Helen Barge, Managing Director – Risk Evolves
[1] https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-nerve-wrecking-cookie-banners
[2] https://www.supremecourt.uk/cases/uksc-2019-0213.html
[3] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/09/ico-to-call-on-g7-countries-to-tackle-cookie-pop-ups-challenge/
Risk Evolves – Making compliance simple, every day. Our specialists enable businesses to reduce risk and maximise opportunities in six key areas: Risk Management – GDPR – ISO Certifications – Cyber Security – Health & Safety – Environment & Sustainability. If you’d like to know more about how Risk Evolves can help you prepare to meet the challenges and risks inherent in twenty-first century business, please get in touch for a free no-obligation consultation.