GDPR, CANDDi and Cookies
The idea of consent is one of the key facets of the 2018 GDPR legislation. Primarily, this has been a shift to ‘opt-in’ consent for data processing and cookies, rather than ‘opt-out’. The law change means personal data can only be processed under certain grounds. The most relevant one in the case of CANDDi is article (1)(a):
‘the data subject has given consent to the processing of their personal data for one or more specific purposes;’
According to the legislation, a request for consent must be ‘clear, concise and not unnecessarily disruptive’, and must be given by a ‘clear affirmative act’.
Things that do not constitute consent:
Silence
Pre-ticked boxes
Inactivity
There is, however, another condition on consent found in Article 7(3): ‘The data subject shall have the right to withdraw his or her consent at any time...’. The law also states it must be just as easy to revoke consent as it was to give it, so the consent policy needs to be easily accessible. When considered together it would be reasonable to conclude that consent will be valid if the website visitor is displayed an initial notice (and choice) and is able to change this, in a granular way, at a later date.
Cookies are only mentioned once within GDPR, despite being important overall. Recital 30 states:
‘Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.’
In short, what this means is that cookies should be treated as personal data when used to identify a device or, as with CANDDi, when used in conjunction with other data to identify the individual associated with that device.
We can, however, extend this notion of cookie consent to consider an alternative lawful ground for lawful processing of personal data: the setting of cookies based on the ‘legitimate interests of the controller’. This would allow the use of cookies without the strict requirement of explicit consent as stated in Article 6(1)(a). (nb. This would not apply to the public sector due to legislative distinctions)
Article 6(4) sets out several conditions for the use of Legitimate Interest. A data controller would need to have considered their justification of such a decision. Due to the way CANDDi tracks, it is likely to fulfil such criteria. Campaign and Digital Intelligence Limited cannot, however, advise on this as the justification is business specific.
This is found in Article 6(1)(f) where there are lawful bases available for the processing of personal data where it is “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”.
The recitals give examples of processing that could be necessary for the legitimate interest of a data controller including:
Recital 47: “Processing for direct marketing purposes or preventing fraud”
Recital 48: “Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data”
Recital 47 would, therefore, cover the setting of first-party cookies for marketing purposes.
Legitimate Interest does however also come with the right to object to the processing by the individual (Article 21). The website would therefore still be required to have the ability for the user to opt-out of such usage.
When considering how the Legitimate Interest approach would relate to the setting of cookies, and use of CANDDi, as a business development/direct marketing tool this would appear to complement.
Have more questions? Contact us at help@canddi.com or 0161 414 1080
‘the data subject has given consent to the processing of their personal data for one or more specific purposes;’
According to the legislation, a request for consent must be ‘clear, concise and not unnecessarily disruptive’, and must be given by a ‘clear affirmative act’.
Things that do not constitute consent:
Silence
Pre-ticked boxes
Inactivity
There is, however, another condition on consent found in Article 7(3): ‘The data subject shall have the right to withdraw his or her consent at any time...’. The law also states it must be just as easy to revoke consent as it was to give it, so the consent policy needs to be easily accessible. When considered together it would be reasonable to conclude that consent will be valid if the website visitor is displayed an initial notice (and choice) and is able to change this, in a granular way, at a later date.
Cookies are only mentioned once within GDPR, despite being important overall. Recital 30 states:
‘Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.’
In short, what this means is that cookies should be treated as personal data when used to identify a device or, as with CANDDi, when used in conjunction with other data to identify the individual associated with that device.
We can, however, extend this notion of cookie consent to consider an alternative lawful ground for lawful processing of personal data: the setting of cookies based on the ‘legitimate interests of the controller’. This would allow the use of cookies without the strict requirement of explicit consent as stated in Article 6(1)(a). (nb. This would not apply to the public sector due to legislative distinctions)
Article 6(4) sets out several conditions for the use of Legitimate Interest. A data controller would need to have considered their justification of such a decision. Due to the way CANDDi tracks, it is likely to fulfil such criteria. Campaign and Digital Intelligence Limited cannot, however, advise on this as the justification is business specific.
This is found in Article 6(1)(f) where there are lawful bases available for the processing of personal data where it is “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”.
The recitals give examples of processing that could be necessary for the legitimate interest of a data controller including:
Recital 47: “Processing for direct marketing purposes or preventing fraud”
Recital 48: “Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data”
Recital 47 would, therefore, cover the setting of first-party cookies for marketing purposes.
Legitimate Interest does however also come with the right to object to the processing by the individual (Article 21). The website would therefore still be required to have the ability for the user to opt-out of such usage.
When considering how the Legitimate Interest approach would relate to the setting of cookies, and use of CANDDi, as a business development/direct marketing tool this would appear to complement.
Have more questions? Contact us at help@canddi.com or 0161 414 1080
Updated on: 04/02/2020
Thank you!