This is the second in a series of blogs that will offer GDPR compliance guidance to our clients and other hospitality businesses. In this blog we tackle website cookies.
In our first blog, we gave an overview of the General Data Protection Regulation (GDPR) and its impact on businesses operating within the EU. The GDPR comes into effect 25 May 2018 and provides a comprehensive framework of privacy protections for personal data of EU data subjects. Hospitality businesses collect, process and store personal data in a number of ways within its operations and, consequently, it’s critically important for a business to assess broadly its operations to identify what personal data it is collecting and perform a gap analysis of how current practices map to requirements under GDPR.
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information by received by the servers, may be used to create profiles of the natural persons and identify them.”
GDPR ‘Consent’ Model
GDPR introduces big changes to the user consent model, specifically, the ‘Information Only’ and the ‘Implied Consent’. These models are no longer compliant, meaning that you cannot take the user’s consent for granted or assume it has been given. Recital 32 clarifies that consent requires a “clear affirmative act” and offers examples of what would meet that requirement:
And the GDPR lists the following as specifically inadequate to establish consent:
This means if you’re using pop-up cookie boxes you will need to adapt how you obtain user consent. Under the new rules just visiting your website for the first time won’t qualify as consent for processing visitors’ data, even if you provide your visitors with information like “By using this site, you accept cookies”. This is emphasised in Recital 42 which states that consent is not considered to be “freely given”, if you refuse to provide any of your services unless the user consents to the use of their personal data. In other words, if users do not consent to the use of their personal information for analytics, they should still be able to use your website in some way.
Sites using different types of website cookies for different purposes will need to obtain consent for each purpose. Per Recital 32:
“When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
Finally, it is necessary that users have the option to withdraw their consent at any point. As described in Article 8.2 of the GDPR, withdrawing consent should be as easy as giving consent in the first instance. That means the option to withdraw consent should be visible and accessible at all times to visitors of your website.
Website cookies are a good thing. By all means, hospitality companies should continue to serve them to help their business. But you may need to adapt your cookie ‘recipe’ a bit, as it were, to ensure they meet the requirements under the GDPR and that you don’t get burned in the process.
It’s not as catchy as: ‘When is a door not a door?’ (answer, when it’s a jar) but it speaks to the idea that in-car collection, and the technologies that support it, are flexible enough to bend to the needs of a business and its guests.
Delivery can be daunting to the uninitiated, and it might be tempting to sign up with a third-party ordering aggregator that offers the service, such as UberEats, but other options could suit your business and brand better. Here we present three different ‘levels’ of delivery, starting with the most basic – and cheapest method: doing it yourself.