What paths are organizations taking to address the information retained by Cookies in regard to GDPR:
a) Restrict Cookies to geographical locations,
b) gain consent from users (how is revocation of consent managed to ensure compliance),
As per GDPR, simply visiting a website is not a consent so users will have to opt-in whether they want their information to stored in cookies or no.Since it doesn't specify what needs to be done and organizations would take time to find a lawful ground for collecting this information so I think as of now they will either have to find how to get users consent (remind you that if you find consent then you will have to give them option to opt-out) or disable cookies. That is all I can think for now 🙂
Great points Kojha. To this point, we have seen MailChimp start offering a GDPR Consent form which you can have pop up at first contact to your website. This helps on the front end. The concern is on revocation of consent and the cookies on scattered systems and how to "clean" them up unless a very short life is given to them which negates their value greatly.
Any thoughts on this?
Whilst the new ePrivacy Regulation is still in draft and doesn't come into force at the same time as GDPR, it will depend on whatever legislation was enacted in country in support of the previous directive and your supervisory authority's interpretation of that legislation. In the UK we have PECR (Privacy and Electronic Communication Regulation) which will large continue to be enforced as is until the ePrivacy Reg is agreed in Europe.
The Brexit decision and the political moves around it makes matters more complex in the UK. It looks likely that there will eventually be similar national legislation, but who is to say. In the interim the key point is to inventory your persistent and session cookies, remove those no longer needed and update your privacy pages accordingly. Consent can't be informed and freely given unless you do at least that.
> simply visiting a website is not a consent so users will have
> to opt-in whether they want their information to stored in
That's my understanding as well..
But since we're having this discussion, what am I missing?
With the "Right to be forgotten" / revocation of consent, how does the web site owner delete those cookies they placed on anyone's systems?
Not sure Brian how can this be offered to Opt-Out or revocation. For cleanup I think an automated tool can help. So far I know there are still lot of cloudy shades over cookies and no one has a perfect answer of it 😞
Yes, I agree that they will have to choose whether they want cookies to be accepted or not. Question is, How do we empower them to opt-out when they no want their information to be stored on cookies? Can we make them accept the cookies with a time frame after that it will be automatically cleaned up? But as per GDPR, you'll have give them both the options (Opt-in and Opt-Out).