Three months later: how did the GDPR affect the work of cookies?
The European Data Protection Regulation - GDPR - entered into force three months ago. During this time, the amount of cookies on European news sites has decreased by about a quarter .
Today we tell how the new requirements have affected the work sites.
/ photo Neil Conway CC
According to clause 30 of the European Regulations, the information obtained through the use of cookies can serve as a tool for creating a user profile and identifying it. Thus, cookies acquire the status of personal data.
Therefore, GDPR requires site owners to obtain the user's consent before setting a cookie. Before the introduction of the regulations, many sites did not ask for permission - a simple banner with a notification was shown. And it was believed that the user automatically agrees to receive a cookie if he continues to work with the site.
After the introduction of the GDPR this was not enough. Now on the pop-up window, the user is obliged to note that he agrees to accept cookies. Also, the site owner must tell how cookies are used, how they are processed and to whom this information can be transmitted. You also need to give the visitor the opportunity to opt out of the use of specific cookies.
All this is prescribed in the privacy policies of the site. A link to these policies should be contained in a pop-up alert window.
The idea of this approach is to make the process of working with cookies more transparent. So the user receives all the information at once, and he does not need to delete the unwanted cookies in the browser settings.
Reuters analysts compared data on the amount of cookies used by European websites for April and July 2018 (that is, before the GDPR takes effect and after). According to the survey, on average, the amount of cookies on news portals has decreased by 22% . The amount of cookies used by UK sites has decreased by 45% . In France, this figure fell by 32%, in Germany - by 6%.
An interesting fact is that in Poland, for some reason, the number of cookies, on the contrary, increased by 22%. This is the only European country with a big change.
According to the report, the percentage of cookies used to optimize the operation of sites has seriously decreased. The least change has been made to social media cookies.
Among them are the sites of popular publications - the Los Angeles Times, The Chicago Tribune, The Sun Chronicle, and others. An error message is displayed to users from Europe. This decision has obvious reputational risks and means the loss of a part of the audience. Moreover, as some believe, this behavior is the tacit admission of guilt in the unlawful handling of PD. However, the basis of this approach is most likely a financial component.
American organizations have taken this step because of the reluctance to invest in the elaboration of new policies and the introduction of new solutions. Low traffic users from Europe will not pay back the money spent on compliance with the standards of GDPR.
The number of sites requesting consent to the use of cookies has grown since the introduction of GDPR. The form of the notice on different sites is different.
/ photo Helen Harrop CC
Now in GDPR there is no any uniform algorithm for working with cookies. But you can take a number of measures that would fully satisfy the requirements of the regulations. Here are a few of them:
PS Materials on the topic from our blog about IaaS:
What are we doing on this topic in IT-GRAD: Cloud FZ-152 • IaaS • PCI DSS hosting
Today we tell how the new requirements have affected the work sites.
/ photo Neil Conway CC
Requirements regulations
According to clause 30 of the European Regulations, the information obtained through the use of cookies can serve as a tool for creating a user profile and identifying it. Thus, cookies acquire the status of personal data.
Therefore, GDPR requires site owners to obtain the user's consent before setting a cookie. Before the introduction of the regulations, many sites did not ask for permission - a simple banner with a notification was shown. And it was believed that the user automatically agrees to receive a cookie if he continues to work with the site.
After the introduction of the GDPR this was not enough. Now on the pop-up window, the user is obliged to note that he agrees to accept cookies. Also, the site owner must tell how cookies are used, how they are processed and to whom this information can be transmitted. You also need to give the visitor the opportunity to opt out of the use of specific cookies.
All this is prescribed in the privacy policies of the site. A link to these policies should be contained in a pop-up alert window.
The idea of this approach is to make the process of working with cookies more transparent. So the user receives all the information at once, and he does not need to delete the unwanted cookies in the browser settings.
How the GDPR influenced sites
Reuters analysts compared data on the amount of cookies used by European websites for April and July 2018 (that is, before the GDPR takes effect and after). According to the survey, on average, the amount of cookies on news portals has decreased by 22% . The amount of cookies used by UK sites has decreased by 45% . In France, this figure fell by 32%, in Germany - by 6%.
An interesting fact is that in Poland, for some reason, the number of cookies, on the contrary, increased by 22%. This is the only European country with a big change.
According to the report, the percentage of cookies used to optimize the operation of sites has seriously decreased. The least change has been made to social media cookies.
Unlike European sites, a number of US sites that operated on the European market decided not to update the privacy rules and cookie handling mechanisms.
As soon as the GDPR came into force, more than a thousand US news portals simply blocked access to visitors from the EU.
Among them are the sites of popular publications - the Los Angeles Times, The Chicago Tribune, The Sun Chronicle, and others. An error message is displayed to users from Europe. This decision has obvious reputational risks and means the loss of a part of the audience. Moreover, as some believe, this behavior is the tacit admission of guilt in the unlawful handling of PD. However, the basis of this approach is most likely a financial component.
American organizations have taken this step because of the reluctance to invest in the elaboration of new policies and the introduction of new solutions. Low traffic users from Europe will not pay back the money spent on compliance with the standards of GDPR.
How to work with cookie by GDPR
The number of sites requesting consent to the use of cookies has grown since the introduction of GDPR. The form of the notice on different sites is different.
/ photo Helen Harrop CC
Now in GDPR there is no any uniform algorithm for working with cookies. But you can take a number of measures that would fully satisfy the requirements of the regulations. Here are a few of them:
- Notify the site visitor about the use of cookies. When choosing a wording, you can take as an example an example from the EU Internet Directory : “This site uses cookies. Learn more about how the "organization name" uses cookies and how to change the settings. " A pop-up window with this wording appears after the opening of the sites of the newspapers The Guardian, The Sun and The Daily Telegraph.
- Inform which cookies are used and for what purpose. The Forbes website describes in detail why each cookie is needed and how the user's choice affects the functionality of the website.
- Provide the ability to select cookies that the user allows to set. For example, you can select individual cookies on the Oracle website. To do this, in each case, check the box “yes / no”. Mandatory cookies cannot be prohibited, but there is detailed information on each of them.
- Enable the user to refuse cookies. On the Fortune website, you can change the list of cookies used at any time by clicking on the small Cookie Consent widget in the corner of the page.
PS Materials on the topic from our blog about IaaS:
- What to consider PD from the point of view of the Russian regulator
- How to handle PD in the cloud
- PD in the cloud: areas of responsibility of the customer and the cloud provider
What are we doing on this topic in IT-GRAD: Cloud FZ-152 • IaaS • PCI DSS hosting