Cookies? Why do you need to collect valid cookie consent?
It can be confusing to know exactly how to navigate the European and Swedish laws, when all you want to do is to measure the performance of your website and ads.
Unfortunately, not being on top of the rules on cookies, can cost your business quite a lot of money if you end up in an inspection by the Swedish Data Protection Authority Integritetsmyndigheten.
So, here are 6 key insights from privacy lawyer Emilia Larson from Delphi law firm on how to obtain valid consent to cookies in Sweden.
1) Why is it relevant to know about the cookie rules?
Since it is very easy to see whether your website is GDPR cookie compliant or not, Emilia Larson highlights 4 major reasons you should concern yourself with the Swedish cookie law.
• Cookies are a hot topic
Cookies are a hot topic right now. Not only because both Google and Apple are becoming serious about privacy, but an entire movement is now focusing on how the data cookies collect invade user privacy.
Recently, Austrian lawyer Max Schrems and privacy organization noyb.eu filed 560 draft complaints to major European companies for using non-compliant cookie banners.
10,000 more complaints are being made and are ready to be send to the authorities if cookie banners are not brought into GDPR compliance.
• More decisions and sanctions
Data Protection Authorities like the French CNIL and the Danish Datatilsynet are very proactive in finding companies that do not meet the GDPR guidelines for collecting consent to cookies.
This results in both fines and sanctions.
|France||Placing marketing cookies without users’ consent||€100M|
|France||Amazon||Setting cookies without users’ consent and for not informing about the purpose of these cookies||€35M|
|France||Carrefour||Failing to obtain users’ consent before setting advertising cookies||€2.250.000|
|Belgium||Jubel.be||Lack of transparent information in cookie banners||€15.000|
• Many companies forgot about cookies during the GDPR project
After May 2018, where everyone was concerned about permission to store email lists, cookie compliance was forgotten.
And national guidelines didn’t help a lot at the time.
It is becoming evident now, Emilia Larson says. We are getting flooded with questions on how to obtain valid consent for cookies.
And cookie compliance is being taken very seriously by the EU.
We saw that, when the European high court ruled against German online lottery Planet49 and set new standards for how to collect valid consent to cookies.
• New regulations coming up
Something is cooking in the EU.
A new ePrivacy Regulation (new European cookie law) is being made and approved this year.
The ePrivacy Regulation will become the pan-European set of rules on using cookies on websites. No more confusing national guidelines to care about.
Link: What is ePrivacy?
2) What are cookies really?
Basically, a “cookie” is an umbrella term for all techniques and tracking technologies that can access and store information on a user’s device.
That is, read and write small data files on your computer!
Cookies basically do one of two things: they can improve your visitors’ experience of your website, or they can track your users across your site and across the internet.
They do that by collecting and storing large amounts of information about your website visitors and their behavior.
Therefore, the rules for consent also include ‘trackers’, ‘pixels’, ‘browser fingerprinting’, etc.
LINK: What is a cookie?
3) What are the Swedish cookie rules?
When using “cookies”, the LEK applies. The LEK is the Swedish Law on Electronic Communication (Lag (2003:389) om Elektronisk Kommunikation).
The rules are adopted from the European ePrivacy Directive from 2002.
But what does all this mean, Emilia Larson from Delphi asks.
This applies for both the first-party cookies you use and all the third-party services you may use, e.g., Google Analytics, Facebook Pixel, Hotjar, LinkedIn’s insight tag, Hubspot, Salesforce etc.
4) How does the GDPR come into play?
Most people associate cookie banners with the GDPR.
And yes, we have seen a lot of banners on the internet after May 2018.
But the GDPR only mentions cookies once.
However, the GPDR applies when the data that cookies collect is processed.
Cookies in themselves are not personal data, Emilia Larson continues, but the information they collect often is.
And most third-party cookies collect users’ personal data to create user profiles to better target ads to them.
You know, like when you search for hotels in Lisbon and suddenly you see a lot of ads on Facebook for hotels. In Lisbon.
The processing of this information requires consent, and this is where the GDPR comes into play.
5) What is personal data?
Personal data in the GPDR is anything that can directly or indirectly (combined with other tracking information) identify a person.
That can be:
- IP address
- Email address
- And much more!
But you may say: I don’t collect or process any personal data!
No, but many of the cookies that third-party providers – like Google – set through your website do. And you are responsible for collecting the consent. Because you are the data controller.
6) How can you check which cookies you use?
You may use wonderful services like Google Analytics or Hotjar to measure your website’s performance.
Or you may use Facebook and LinkedIn pixels to measure your ads’ performance.
All these services set cookies or use pixels to track your users’ behavior across the internet.
It’s easy to see which cookies your site uses.
Go to your website in incognito mode –> double click anywhere on the page –> choose Inspect –> Go to “Application” in the newly opened menu bar in the inspect mode –> choose “cookies” in the sidebar menu of the inspect menu and there you go.
We can also support you with a professional check.
We’ll go through your site manually and search for cookies, trackers, and risks to your GDPR compliance.
But let’s finish off with a checklist for how you can collect valid consent to cookies.