GDPR, or General Data Protection Regulation, refers to EU citizens data regardless of their location. After a few years of negotiations, GDPR got adopted in April 2016, while the implementation started during late May of 2018.
Now, a year later, many companies are not fully compliant with the regulation and are still getting used to what GDPR has brought.
There were some fines and penalties and in this blog I would like to reflect on those punishment cases, followed with a few explanations and suggestions on what you need to do to avoid getting fined.
Controllers who failed to meet the requirements or document their efforts to comply, risked penalties of up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
As shown in Irish Data Protection Commission (DPC) annual report from the period May 25 – December 31, 2018, there was a total of 4,113 complaints for the full year 2018, which is an increase of 56 percent from 2017. That is a great increase in pre- and post- GDPR.
If you are not familiar with penalties and fines that GDPR has caused, here are some honorable mentions:
1. The CNIL, the French regulatory body, in January 2019 fined Google €50 million under the GDPR.
They claimed that Google search engine lacked transparency and clarity in the handling of personal data and failed to properly obtain users’ consent for personalized ads.
2. The Datatilsynet, the Norwegian Data Protection Authority, fined the Municipality of Bergen by 170 000€.
One student of the public school, administered by the Municipality of Bergen, found a file with login credentials for 35 000 students and employees, in a public storage area. It is considered that the lack of appropriate measures couldn’t protect the personal data in the computer file system.
3. The DPC, the Irish Data Protection Commission, which is the lead privacy regulator for multinational tech giants based in Europe, is currently investigating the case of Quantcast.
Quantcast knows a lot about people based on their online activity. It can make really accurate guesses about their age, gender, income level and educational level. It can also start to predict what types of products they might buy and how your browsing activity relates to their personal life.
4. The DPC also announced the launch of an investigation into Google’s processing of personal data as part of the company’s highly popular Ad Exchange online ad system.
It’s considered that system is “leaking” the personal data of users to more than 1,000 companies, all without the consent of users or any ability of them to take action to stop this from happening.
The (not so) scary regulation
Let’s take a look at how you can avoid getting on the “notable fines” list.
General Data Protection Regulation is applicable as of May 25th, 2018, and replaces the Data Protection Directive. It protects EU citizens’ personal data and it refers to everyone from and outside of the EU who uses that data. Basically, any application, website or company that offers its services or products to people in the EU or monitors their behaviour (e.g. “cookies”, pixels, …) is obliged to align with GDPR.
Some important GDPR terminology (Art. 4 GDPR):
- A data subject is a natural person who can be identified, directly or indirectly, through personal data.
- Personal data are: name, address, email address, phone number, IP and MAC address, GPS location, cookies on web pages, social networking, photographs, video footages, OIB, educational and professional information, pay data, credit information, bank account details, genetic data, health data, …
- A controller is a person or a business who decides to collect the data or decides what data gets collected and why.
- A processor is a person or a business that processes personal data on behalf of the controller.
- Consent means freely distributed and informed agreement by a data subject for processing his or her personal data.
One of the main GDPR tasks is the protection of “personal data”, which is basically data that can identify a particular person (“data subject”). Controllers must at all times know where and for what purpose personal data may be used. So it is important that they have organized and functional technical infrastructure.
There are six bases for processing personal data: consent, contract, legal obligations, vital interests of the data subject, public interest and legitimate interest (Art. 6(1) GDPR).
In order to obtain freely given consent, it must be given on a voluntary basis. The data subject must also be informed about his or her right to withdraw consent anytime and that should be as easy as giving consent.
Just be transparent
- Transparency – On data subject’s request, the controller should provide information on actions regarding ways of collecting and processing personal data within one month of the received request (Art. 12 GDPR).
- Right to access – The data subject has a right to know what data and for what purpose is processed by a controller (Art. 15 GDPR).
- Right to rectification – Controller should rectify inaccurate personal data concerning the data subject (Art. 16 GDPR).
- Right to erasure (“right to be forgotten”) – Personal data should be erased on a data subject’s request if those data are no longer necessary in relation to the purpose for which they were collected and in case that data subject withdraws consent (Art. 17 GDPR).
A few ways web services collect personal data:
- Cookies and similar technologies
- Online forms for receiving newsletters, submitting a petition, applying for a job, filing a complaint, booking accommodation, …
- Technology (e.g. so-called “B2B gateways”) to collect personal data from other internet sources
- Functional and technical logs or network devices, e.g. for statistics or security purposes
A cookie is a small piece of text that a website asks your browser to store on your computer or mobile device. The cookie allows the website to “remember” preferences (e.g. languages) and actions (e.g. articles already in the shopping basket of a webshop). Their use is also extended to enable user authentication during a session and to record browsing behaviour (“analytics”). That way, you can use the data for web service improvement or for tracking and profiling users (e.g. to serve targeted advertisements).
Cookies are used to identify a person, therefore they should be treated as personal data. That’s why a cookie pop-up and dedicated cookie notice page should be shown on the website. Cookie notice should explain: why and which types of cookies are being used (first- and third-party cookies), type of data collected, who controls/accesses the cookie‑related information (website or third‑party) and that the cookie isn’t used for any purpose other than the one stated and how users can withdraw consent.
For instance, implied consent and consent given simply by visiting a site is not enough.
Because the GDPR clearly states that a data subject should be able to withdraw consent as easily as it is given, it means that he or she should be able to give and revoke consent through the same action.
For example, the data subject can give consent for cookies by clicking through some boxes which, by default, shouldn’t be preset (except necessary cookies). So, the data subject has to be able to find the same form to revoke consent.
Under the GDPR, you must have consent to set cookies that track personal data, whereas under the ePrivacy Directive, you need user consent before setting any kind of cookies other than the strictly necessary.
Often though, websites contain elements from other web services, like advertising partners, social networking sites or other content providers. As a result, both first-party cookies set by the requested website and third-party cookies can be set on data subject’s devices.
A GDPR requires also to securely store given consents as documentation that the consent has been given.
Some of the cookies that generally DO NOT need consent:
- User input cookies, for the duration of a session
- Multimedia content player session cookies, such as flash player cookies, for the duration of a session
- Load balancing session cookies, for the duration of the session.
Third party cookies that generally DO need consent:
- Social plug-in tracking mechanisms
- Marketing cookies (header bidding, Facebook Pixel)
Regarding Newsletter, it is important to state that it is no longer possible to offer a discount, a free product or service in exchange for email address which will later get stuffed with promotions and offers, on which data subject did not give consent. An example of that kind of Newsletter is shown below.
As in example for “free coupon code” offer, a data subject has to type in his or her email address in order to receive it. A controller can not misuse that email for a mailing list or customized online advertising and send him or her other promotional material and coupon codes unless it was originally made clear at the point of sign-up that was controller’s intention.
As written in Recital 32 in GDPR: “Silence, pre-ticked boxes or inactivity should not constitute consent.”, the checkbox for signing in to the newsletter below the email entry field must not be checked.
A good example of Newsletter is shown below.
Next Newsletter example should be also considered as GDPR correct because data subject now clearly understands that he or she is primarily signing up for a newsletter and the coupon code is just an extra bonus.
Here’s how the Locastic development team implemented the newsletter feature on our website. It is located on the bottom of our blog section with a neat call-to-action for everyone that’s interested in our content.
As previously mentioned, personal data should only be used for specified and legitimate purposes. This means that the controller must not collect data for one purpose and then go on to use it in a different way.
Except for frontend part (pop-up, checkbox), a controller needs to have backend part as well (e.g. consent record through the log in a database) where it could be clearly seen who and when gave that consent. A controller can outsource a processor, like MailChimp, Mailer Lite and others. They offer a database which collects each person’s the time and date when they applied to the controller’s list. Also, they can provide a two-step consent confirmation via mail so it leaves a mark in the form of a sent email.
Just to be clear, in those emails, a data subject can check each purpose individually. So, “Email” means receiving emails, “Customized online advertising” means retargeting based on an email address (e.g. Facebook advertisements) and so on.
Also, if the data subject decides to withdraw the privilege to use his or her personal data, the controller must be able to do so within the set deadline. The best way to do it is automatically, via those processors (e.g. click on an “Unsubscribe” button in the bottom of received mail should erase that email address from the newsletter mailing list).
It is good to mention that plugins installed on a WordPress website give additional functionality, but every one of those plugins has the potential to collect personal data as well.
Web caching mechanisms
ETag, an HTTP protocol header field, is mainly used to validate web caches and allow more efficient browsing. It has also been used for cookie-like purposes.
HTML5 local storage
HTML5 is the latest standard web service language and automatically enables a cookie-like behaviour called HTML5 local storage. The information kept there has no expiration and needs to be actively deleted due to data protection risks.
is a technique used to collect sets of web user agents’ parameters and is used for purposes similar to those of cookies (e.g. user agent interface optimization, analytics for web service improvement and marketing, profiling for targeted advertising).
Canvas fingerprinting and Evercookies
Those are advanced tracking mechanisms, hard to detect and neutralise.
“Web bugs” are invisible elements set on a web page to redirect the user client to a third party web service for secretly tracking purposes.
Now seriously, did you comply?
Regarding the amount of personal data, it is advised to collect only the minimum amount of personal data required to achieve given consent.
If a controller wants to send blog notifications by email, then the minimum information he or she requires is an email address and probably data subject’s name (for personalizing emails), but collecting anything else could be seen as excessive and illegal.
A controller should be careful about the decision of a web host. It is common practice for the web server to record, in its server logs, the IP addresses of anyone who visits controller’s website. Since IP addresses are personal data, as far as the GDPR is concerned, a controller might actively collect personal data without his or her knowledge.
If a controller is a company that has more than 250 people, it should take into account to assign a Data Protection Officer (DPO).
The final thought
As a conclusion, every controller should know where all personal data is stored, who has access and on what devices. A controller should identify where personal data is processed, including by third party processors, document them and update current privacy policies.
That way, the controller should become GDPR compliant and he or she could provide security to personal data of its users or viewer, which is an ultimate goal of GDPR.
Disclaimer: Please note that these GDPR guidelines are not legal advice and shouldn’t be treated like that. This is just a blog post about how our company is operating and how we interpret some of the GDPR principles.