We’ve heard about GDPR and we know that it has a significant impact on how we do business (especially B2C), but precisely how it affects company websites has been unclear – until now.
The new guidelines mean that we can now be more confident in making sure our website policies are compliant. It also means that we have a clearer idea on what practical steps to take to make this happen.
When you visit a website, you aren’t just presented with a webpage and its obvious, visual content. Behind the scenes, the site you have visited has sent a small file of information to your computer. This file (usually in the form of a “pixel”) then stays on your computer, acting as a kind of semi-permanent ‘link’ between you and the webpage that sent the Cookie. It literally “tracks” your movements and behaviour.
Why do websites do this? In a word: information.
The website will assume that you’re interested in what it has to say, or what it has to sell, and wants to keep reminding you that it exists. Have you ever been surfing the web, clicked on a site, and then found that adverts for that site or product keep popping up wherever you go next? Even days or weeks later? Well, that’s because of a Cookie.
It means that the relationship you have with that original website/company/product isn’t over when you click away from the page.
Not all Cookies are about advertising, though. Some are designed to gather data about your computer’s “IP” address (which tells the website you’re visiting where in the world you are). Some just want to keep track of how many visitors, or “hits” the website is getting. Some are needed for the security of the site to function properly.
Again – whatever the specific purpose of the Cookie, it all boils down to one thing: information.
If your company is gathering ANY kind of data or information about a private individual (and, in practice, that means each and every visitor that clicks on your site), then the visitor needs to know this, and they need to be able to make an informed choice about whether, and how, to proceed.
“A central tenet of GDPR is that valid consent requires affirmative action.”
So, back to GDPR.
A key development is that implied consent is no longer permitted.
Now, this kind of policy is illegal.
A central tenet of GDPR is that valid consent requires affirmative action. Assumptions no longer play any part in valid consent. If your site visitor continues to browse, they have NOT given tacit consent for any Cookies to be sent to their computer.
As of right now, your Cookies Policy must obtain opt-in consent prior to the sending of ANY Cookies.
However, GDPR doesn’t technically allow for this, because it means that consent hasn’t been “freely given”. In other words, you have no choice but to click the opt-in form before continuing, which goes against the principles of choice and control which underpin the entire ethos of GDPR.
Instead, you need a pop-up or banner which states, in plain English, that it contains important information about how the site works and how they, the visitor, is in control.
For more information on this, get in touch with your web designer, or give us a call. You can find our contact details at www.northreyconsulting.com