TAKE IT EASY ON THOSE COOKIES SANTA!

Santa takes his data protection responsibilities seriously – and we know because we check every year to see if he’s been naughty or nice! But a sneaky little issue has crept past him unnoticed this year and we think its time to remind him – Keep away from those cookies Santa!

Just like real life cookies, one or two here and there doesn’t seem like its having too much of an impact. One day you look up and realise that you are tracking more that you intended. Worse still you are sharing all that lovely tracking information about all the boys and girls who visit Santa’s operations on the North Pole website with a lot of third parties who don’t all share Santa’s  good intentions.

THE ISSUE CREPT UP ON SANTA

This issue crept up on Santa. A few years back, he had a very enthusiastic marketing elf looking after the North Pole website. The marketing elf was always full of enthusiasm and good ideas – just what everyone wants in a marketing elf employee in fact! Santa’s website never looked so good, full of bells and whistles, pop-ups, and surveys. Santa knew his website was in great hands and he left all the decisions about the website to the marketing elf.

What Santa did not realise was that his marketing elf was constantly trying out new tools on the website, some of which were used, and some forgotten after the free trial period was up. Santa’s marketing elf was also a bit of a DIY enthusiast when it came to building out the website and loved to source plug-ins to do cool new stuff. Santa’s website now has a big compliance issue – with lots of cookies where no-one actually knows what they are for, a cookie notice that tells us nothing and a cookie banner that drops cookies anyway, whether the user clicks on Accept or Reject.

OUR MESSAGE TO SANTA

Santa, our message to you this year is that its time to take a step back and really understand what is happening on your website. Make sure your North Pole website has the same standards of compliance that you expect from the rest of your organisation. In short Santa – its time to take control of those cookies.

HOW SANTA CAN GET BACK ON THE NICE LIST

Santa, we know just how much you love lists so in the spirit of Christmas, we have put together a handy list for you:

1. Know your cookies. The starting point for all data protection compliance activities is knowledge. You need to understand what cookies your website is dropping on your visitors devices, what these cookies are for, what information they might collect, who they might share with and how long they are retained. Document this in one of your famous lists!
2. Streamline your cookies. Take a long hard look at what all that data collection is doing for the North Pole operations. Is it really all delivering value? Do you actually use the data that is collected? Do you need three different analytics engines collecting traffic data on your website (yes, we have seen this!)? Have you embedded any dodgy plugins that are leaking data about your website visitors to some unknown 3^rd party in Russia (yes, we have also seen this!)? Did you run a marketing campaign 3 years ago with a 3^rd party who activated dozens of cookies on your website and when you finished the campaign you never cleared them out (yet again yes!)? Delete any cookies you do not need. Pay particular attention to 3^rd party cookies and especially 3^rd party advertisers.
3. Categorise your cookies based on their purposes – strictly necessary for the core website functionality to work, analytics, user experience, marketing. Make sure the strictly necessary cookies are in fact strictly necessary. There are definitions about what qualifies as strictly necessary so don’t takes anyone’s word for it, test them Santa!
4. Get a cookie consent engine and configure it properly. Don’t fall for the sales pitch – you won’t be compliant out of the box as many claim. Neither can you rely on the out of the box cookie descriptions as they also claim. Take those consent management tools and make them your own. Ensure the cookies are correctly categorised, ensure the text accurately describes how you use those cookies. Then test them to ensure that they are working as expected. Remember that you need to make it as easy to refuse consent as it is to accept. Whatever you do, Santa, don’t get the cookie consent tool that thinks it can set cookies based on legitimate interest – under current legislation cookies always needs consent and that could turn out to be an expensive mistake.
5. Draft a cookie notice to provide information to the visitors to the North Pole website that is accessible and accurate. Layer the information you provide using the consent management tool as the first source and ensuring the information is consistent as you delve into the layers to arrive at your cookie notice. Think about how information is presented on real cookie packets – high level nutrition information on the front with colour codes, more detailed ingredients and nutritional information on the back.
6. Be careful about further processing. Santa, this is something we think is particularly important for you, because your audience is children who are offered special protection under GDPR. You need to think about pixels, use of local storage and visitor interaction trackers that offer session recordings and detailed visitor profiling. Might you be using a session recording tool, and do you have a valid lawful basis? If you are using plugins that are collecting personal data have you got a data processing agreement in place with the provider?

NOT ALL COOKIES ARE CANE SUGAR AND FAIRY DUST

We expect by now that you are finding this is a lot more complicated than you expected, Santa. You are not alone in that. Cookies sound so sweet and innocent – “A cookie is a small piece of data stored on the user's computer by the web browser”. But we have learned that they are not all cane sugar and fairy dust.

Cookies range from delivering essential web functionality to detailed cross-site consumer activity trackers. You need to take the time to understand what your website cookies are doing, whether they are delivering value or just causing you an unnecessary compliance headache. You need to ensure you are only using cookies that are delivering genuine business value and that are aligned with your business ethics.

Cookies can really help you get the best out of the North Pole website, but they don’t come for free. They need to be managed and they need to be regularly reviewed for compliance. Don’t leave it all to the marketing elf from now on Santa. Start asking the right questions and make sure the marketing elf considers the full impact of the cookies that are included on the North Pole website.

Santa, just like all those cookies you’ll be consuming on Christmas Eve – remember with cookies less is more!

---

The Irish Data Protection Commissioner published a Guidance on the Use of Cookies and Other Tracking Technologies in April 2020 as well as publishing a report in March 2020 into a Cookie Sweep Exercise carried out in late 2019. We wrote about this in a previous blog and published a compliance checker that can be downloaded below.