This is the second in a series of blogs that will offer GDPR compliance guidance to our clients and other hospitality businesses. In this blog we tackle website cookies.
In our first blog, we gave an overview of the General Data Protection Regulation (GDPR) and its impact on businesses operating within the EU. The GDPR comes into effect 25 May 2018 and provides a comprehensive framework of privacy protections for personal data of EU data subjects. Hospitality businesses collect, process and store personal data in a number of ways within its operations and, consequently, it’s critically important for a business to assess broadly its operations to identify what personal data it is collecting and perform a gap analysis of how current practices map to requirements under GDPR.
With this in mind, we look more closely at GDPR and how it impacts something almost every business website offers visitors: cookies (and not the kind with chocolate chips and raisins). Under the GDPR, most cookies will likely collect “personal data” and accordingly use of cookies will need to comply fully with the GDPR. Per Recital 30 of the new law:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information by received by the servers, may be used to create profiles of the natural persons and identify them.”
It is true that not all website cookies are used in a way that could profile the users and identify them. For instance, analytics cookies may or may not do this but advertising cookies that are placed by plug-ins most certainly will. Since most cookies will likely be subject to the GDPR, we believe the sensible approach is to treat all cookies as requiring compliance to the new law and developing a uniform cookie policy that encompasses all such uses.
GDPR ‘Consent’ Model
GDPR introduces big changes to the user consent model, specifically, the ‘Information Only’ and the ‘Implied Consent’. These models are no longer compliant, meaning that you cannot take the user’s consent for granted or assume it has been given. Recital 32 clarifies that consent requires a “clear affirmative act” and offers examples of what would meet that requirement:
And the GDPR lists the following as specifically inadequate to establish consent:
This means if you’re using pop-up cookie boxes you will need to adapt how you obtain user consent. Under the new rules just visiting your website for the first time won’t qualify as consent for processing visitors’ data, even if you provide your visitors with information like “By using this site, you accept cookies”. This is emphasised in Recital 42 which states that consent is not considered to be “freely given”, if you refuse to provide any of your services unless the user consents to the use of their personal data. In other words, if users do not consent to the use of their personal information for analytics, they should still be able to use your website in some way.
Sites using different types of website cookies for different purposes will need to obtain consent for each purpose. Per Recital 32:
“When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
Best practices would be to list all your cookies in your Privacy Policy section on your website so users can get acquainted with them when visiting your page. The cookie consent form should then list each cookie and provide the means for users to opt – in for each cookie.
Finally, it is necessary that users have the option to withdraw their consent at any point. As described in Article 8.2 of the GDPR, withdrawing consent should be as easy as giving consent in the first instance. That means the option to withdraw consent should be visible and accessible at all times to visitors of your website.
Global Reach
It is important to keep in mind that GDPR is global in its reach. While the new law applies to personal data collected on data subjects in the EU, the mere use of cookies on a website of a company outside the EU can trigger GDPR compliance requirements if a data subject from the EU visits that website since cookies meet the definition of personal data.
Website cookies are a good thing. By all means, hospitality companies should continue to serve them to help their business. But you may need to adapt your cookie ‘recipe’ a bit, as it were, to ensure they meet the requirements under the GDPR and that you don’t get burned in the process.
It’s not as catchy as: ‘When is a door not a door?’ (answer, when it’s a jar) but it speaks to the idea that in-car collection, and the technologies that support it, are flexible enough to bend to the needs of a business and its guests.
Delivery can be daunting to the uninitiated, and it might be tempting to sign up with a third-party ordering aggregator that offers the service, such as UberEats, but other options could suit your business and brand better. Here we present three different ‘levels’ of delivery, starting with the most basic – and cheapest method: doing it yourself.
