LEGAL INSIGHT: Cookies and Privacy; The Perfect Recipe

LEGAL INSIGHT: Cookies and Privacy; The Perfect Recipe

Posted on April 15th, 2021

Authors

  • Catherine Kariuki Mulika

  • Janet Othero

  • Sherry Bor

The use of cookies and privacy pop-ups and banners is not new in the digital world. In Europe, the ePrivacy Directive was passed in 2002 and amended in 2009, known as the “cookie law” whose most notable effect was the proliferation of cookie consent pop-ups after it was passed.  With the subsequent enactment of EUGDPR in 2018 and various local privacy laws like our Data Protection Act, of 2019, the practice now is, that when users click on certain websites, they are given a choice relating to the use of cookies. Some websites offer the option of selecting which cookies to accept or reject. In some scenarios, cookie policies are contained within the privacy policies.  

Cookies are useful to the website owner in that they allow a website to recognise a user’s device and collect additional useful information to facilitate efficiency. Without cookies or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in. 

Relationship Between Use of Cookies and Privacy 

The right to privacy is enshrined in Article 31 of the Kenyan Constitution which informs the provisions of the Kenyan Data Protection Act, 2019. Without getting too technical, cookies are text files with small pieces of data, some of which are classified as personal information under the Act. For instance, details relating to the user’s username and password are collected to identify your computer as you use a computer network. Cookies can also generally be easily viewed and deleted. 

The main reason why the use of cookies by website owners is subject to privacy laws is the fact that cookies can store a wealth of data, enough to potentially identify or profile a data subject without their knowledge or explicit consent as envisaged in the Act.  

Cookies are the primary tool used by advertisers to track a user’s online activity, and profile and target them with highly specific ads. It is important to note that not all cookies are used in a way that could identify users, but the majority are and will be subject to the Data Protection and Privacy laws. Consumer protection laws are also applicable. 

The risk associated with cyber-attacks, in that cyber attackers can hijack cookies enable access to browsing sessions and track a user’s browsing history, places an obligation on the website owner to ensure that they apply certain safeguards while collecting or processing the personal information collected. Failure to demonstrate this, in case of an attack, may land them into problems with the Privacy Regulator who may subject them to heavy fines and penalties in accordance with the Act.   

Classification of Cookies 

Given the different classifications of cookies based on what purpose they serve, how long they endure and their source, the website owner ought to observe the principle of transparency as envisaged in the Act and notify the user which ones are essential for the functioning of the website before offering a choice to accept or reject.  

The Regulatory Framework Around Cookies 

Unlike the GDPR (recital 30) which provides explicit rules relating to the use of cookies, the Kenyan Data Protection Act, 2019 does not explicitly address the same. When assessing if an individual is identifiable, you should consider whether online identifiers, on their own or in combination with other information that may be available to those processing the data, may be used to distinguish one user from another. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed.  

Notably, whilst a single information element may not be personal data on its own, the combination of multiple elements makes it more likely that the information will constitute personal data. This is particularly the case when the information enables you to single out, make inferences or take specific actions in relation to users (such as identifying them over time or across multiple devices and websites, even if you do not know the name of those users). 

Collection and processing of this personal data would mean that the website owner should not use cookies and trackers before prior consent from the user, besides those strictly necessary for the basic function of a website. The website must hold back all cookies, regardless of whether they contain personal data or not, until a user issues their consent. 

Cookies and Privacy Policy  

The Cookies privacy policy should be a detailed description that notifies customers about which cookies are used, how they are used, what sort of personal data they collect and who they might share that data with. 

Many Cookies Policies also describe, in simple terms, what cookies are. This definition should be easily understandable by anyone who reads it. A good Cookies Policy might also list the different types of cookies that are used by the website, such as site performance cookies, registration cookies and advertising cookies. It is important to note that this level of detail is not required but can still be largely helpful and informative for the users. 

Consent  

Cookie consent is a cornerstone of compliance for websites. This is because one of the most common ways for personal data to be collected and shared online is through website cookies. 

To comply with the regulations governing cookies one must: 

  1. Receive users’ consent before you use any cookies except strictly necessary cookies like those that aid in preventing fraud or illegal activities, wherein the controller can rely on legitimate interest. 
  1. Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received. 
  1. Document and store consent received from users. 
  1. Allow users to access your service even if they refuse to allow the use of certain cookies. 

Use of Cookie Walls 

As highlighted above, consent, once granted by the data subject, ticks the compliance box by the website owner. This has led many website owners to provide a mandatory one-off opt-in to all the bundled cookies, as in, a take or miss-out approach while designing the user opt in. If the user does not opt-in, they are unable to access the contents of the site. This is commonly referred to as the use of “cookie walls.” 

Although the Kenyan Privacy regulator has not issued guidelines relating to the use of cookies, international best practices advocate for the designing and use of granular consent to give the data subject option as to what cookies to consent to. The EUGDPR through the EDPB guidelines on valid consent rules out the use of cookie walls as a valid way of obtaining consent.  

Data Subject Rights

In the back end, the website owner must design sound cookie consent and preference mechanisms in order to demonstrate compliance with the Act. The website owner must also consider the contents of the overall privacy policy, the data subject’s rights granted by the Act and how all these affect the design and operations of the mechanism. Notably, data subject rights are applicable throughout the relationship between the website owner and the data subject and therefore, the designed system has to accommodate receipt of any requests and actioning the same.  For instance, the Data Subject has a;  

  1. Right to be forgotten (erasure) -the controller must make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. Provide a clear opt-out; 
  1. Right of access to personal information collected by the controller relating to them. 
  1. Right to rectification of any inaccurate personal information. 
  1. Right to data portability emanates from the right to receive personal data relating to them. The controller is required to, upon request, transmit this data to another controller without hindrance.  
  1. Right to object to the processing of any personal information relating to them like for direct marketing purposes.  
  1. Right to restrict processing for instance where the data subject claims that the processing is unlawful or does not want to exercise their right to erasure due to contested accuracy of information or to use the information for a legal claim.  
  1. Right not to be subject to automated individual decision-making including profiling which significantly affects them.  

Conclusion 

Between working remotely, spending more time at home this year, and businesses across many industries shifting entirely to digital, users are online more now than ever. This means we are also seeing more “accept cookies” banners—a bug on the Internet’s windshield and an eyesore we hurriedly click “yes” to so we can see what we came to a site to check out. Cookies have become a complex yet valuable tool for most businesses, but it can be easy to rely too heavily on them and jeopardize users’ privacy.  

The use of cookies is indeed a double-edged sword that needs to be handled with the utmost care.  A poor cookie policy and handling mechanism can contribute to the growing mistrust of consumers and lead to significant fines and penalties by the privacy regulator. However, if a website owner can properly design the cookie mechanism, inform users about cookies as highlighted above and obtain express valid consent, then they will be better prepared to take advantage of the benefits that cookies offer, protect the entity from the risk of noncompliance and build consumer trust while gaining a competitive edge in the market.