For DPOs in India, one of the grey areas of compliance to be managed is the “Cookies Consent”.
Normally the Cookies are hosted on the website and the website is managed by the IT department. The content on the website is often written by the marketing department and contains company promotion and product promotion information. The marketing department may have a close watch on the content to ensure accuracy of product information.
The websites also contain the “Privacy Policy” and “Terms of Use” which are typically managed by the legal department.
In the case of listed companies, a part of the website contains investor information which is mandated by SEBI.
It is a tradition to have the “Privacy Policy” of the company displayed on the website along with the “Terms of use” and the contact details of the help desk, the Grievance officer and the DPO or Compliance officer.
For the public, the website is the first contact point for knowing the company and if there is no mention of a DPO or a Compliance officer or a Grievance officer, the inference is that the company is not fully compliant.
CISOs recognize that website is exposed to the public and hence could be a source for cyber attacks some of which may have reputational damage by defacement or more seriously, implanting of malware in the source code of the website. There have been many instances of content being manipulated, images being substituted or invisible spamming activity occurring through hidden pages on the website. Domain name re-directions, domain name squatting, etc are also considered security risks and hence a continuous monitoring of all pages of the corporate website is required to be monitored by the Information Security department for any modification.
The “Domain Name” and the website is also considered an important “Financial Asset” of a Company, and has IPR value. The CFO also has a stake on the brand value value of the domain and the value of the content as well as the traffic.
Thus, the website of a company serves many purposes and there are multiple stakeholders who are responsible for the content and directly or indirectly create liabilities for the organization.
Governance of a website is therefore an important corporate activity.
However, it is a common practice for most companies to register domain names and host the website with an external agency. Many of them use Cloud applications managed by different agencies. The hosting companies suggest statistical analysis and profiling of visitors. They also suggest certain monitoring of the visitors from the point of view of enhancing the user experience. Additionally the marketing companies try to use Google Analytics or other agencies to plant their own trackers and generate insights. With the use of AI in the background, we never know exactly how the information of the users may be used by these background agencies.
It is in this context that managing “Cookies Consent” assume importance. If the cookies collect any personal information of the visitors of the website, then the provisions of data protection laws may become applicable. The problem with a website is that anybody in the world including from over 140 countries which have specific data protection laws, may visit the website and the cookies may be collecting various information from them.
Currently DPOs donot consider it essential to treat the “Web hosting” company as a “Data Processor” and handle the data protection obligations. If the hosting is outside a country, there may also be a “Cross Border Data Transfer” issue to be resolved.
It is time for DPOs to get details of Cookies including what data each cookie collects, how long the information is stored and what is the purpose of each of the data elements that is collected.
If a Cookie is tagged as “Essential” or “Functional”, there is no need for it to be a persistent cookie nor to have the personal information such as the email address or name of the person even if it is available at log in. Every cookie that collects “Personal Information” is essentially a “Profiling tool”. The profiling itself may have a “Security Purpose” or a “Marketing purpose”. “Security” may be considered as a legitimate purpose but “Marketing” may not be.
Hence the Consent management has to understand and distinguish the type of data each cookie collects and display it on the website and not restrict the cookie information only to the “Name of the cookie” and its classification as “Analytical”, “Marketing” or “Functional”.
The DPO s need to take control of the Cookies and “No cookie should be installed on the website without the specific permission of the DPO”. If there is any “Profiling” of the visitors, then it has to have a proper legal basis with “consent” for marketing. “Security Profiling” of visitors may be considered as “Legitimate Use” but it has to be ensured that “Security profiling” is not converted into “Marketing profiling” either through ignorance or design.
I recall my own experience captured in the article “Union Bank and RSA Fiasco”, where I have highlighted that a “Security Scanning” may be mis understood if the security team is blindly following automated systems of profiling
I therefore urge DPO s to start exercising greater control on the web hosting and planting of cookies and obtaining the cookie consents as part of their compliance exercise. The current method of Cookie Consents which are followed under GDPR regime which simply asks for consent on the basis of a declaration such as “Accept All Cookies” or “Accept Functional Cookies only” etc., are insufficient. The Cookie consent has to list out each cookie, indicate the data elements collected, the purpose of collection and retention periods and obtain consent in a more informed manner.
Comments are welcome.
Naavi
