Broadly speaking, privacy is the right to freedom from interference or intrusion, but data privacy is the right to have some control over the collection and use of personal data.1 Data privacy has now become a major concern for business and online entrepreneurs due to the fast-paced increase in scientific evolution and technology advancement. The volume of data created and consumed is ever-expanding, this is why it is crucial to place regulatory bans on the process for collection, processing and use of personal data to curtail the breach of digital right and reduce the infringements of the rights of internet users.
Without personal data, there will be no need for data protection. Personal data simply means information relating to identified or identifiable natural persons; an identifiable person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location, data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.2 Processing of personal data is usually prohibited by law unless the data subject has consented to the use of the data. Consent to the processing of data by any data subject must be specific, freely given, informed, and a clear indication of one’s wish to the use of personal data relating to him or her. 3.
The basic concept of consent is one of the lawful grounds for the processing of data. 4 Consent will not be regarded as freely given if the data subject had no genuine choice to refuse or withdraw consent without being denied the use of that service by the data controller.5 This provision of the law supports the fact that a service provider cannot prevent data subjects from accessing a service because they did not give consent.
According to the European Data Protection Board (EDPB) Guidelines on Consent under Regulation 2016/679 adopted by the European Data Protection Board on May 4 2020, any element of inappropriate pressure or influence upon data subjects which prevents a data subject from exercising his free will shall render consent invalid. 6
With special emphasis to cookies; the regulation also stated that if a website provider puts in place a script that will block content from being visible except for a request to accept cookies and there is no possibility to access the content without clicking on the accept cookies button, consent cannot be said to be freely given since the data subject had no genuine choice to accept or decline cookies. 7
Notably, it is not only companies that have physical locations within the European Union (EU) that are required to comply with the General Data Protection Regulation (GDPR) and the new EDPB Guidelines, businesses collecting and processing the data of persons located within the EU are bound by GDPR.
International countries and organizations have begun to consider appropriate and compliant practices on the use of cookie banners, policies, and consent collection processes. Countries like Ireland have always stated that consent is always necessary for the collection of and access to cookies and that the standard of consent is what is required under the GDPR.
Remarkably, the Data Protection Commission of Ireland has reviewed its laws on cookies to sync with the decision of the Court of Justice of the European Union in the Planet 49 case, which was delivered on the 1st of October 2019. The decision, in this case, supports the position of the GDPR that consent must be freely given, specific, informed, and that there must be an indication signifying a user’s agreement, which is unambiguous and involves a clear affirmation. 8 In other words, cookies require internet user’s active consent and a pre-ticked checkbox is therefore insufficient.
Advertising agencies, online businesses, internet users, and e-commerce stores should recognize that the landscape for obtaining consent under the GDPR especially with regards to cookies has evolved. Ignorance about the EDPB Guidelines and GDPR is not a justification for any violation. Infringements of the principle of consent could lead to a payment of E20 million or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. 9
Cookies, though contained in web users browser directory is a very powerful tool for online advertising, it also improves the customer user interface, product recommendations, customized online experience and retains customers’ address or payment information. These benefits are great for international and e-commerce transactions but cookies policy must comply with legal regulations, otherwise there will be legal and compliance consequences.
Digital entrepreneurs are advised to engage in a simple mechanism that allows for GDPR compliance. Consent must be freely given, renewed every 12 months, granted for accurate information about how, why, and where data processing is taking place, stored securely and users must be able to withdraw their consent at any time the same way it was freely given.
The protection of sensitive data by companies contributes to the competitive strength of the organization. Where data is collected legally, and users are assured that their data will be used by the company just as stated in the collection policy, it amplifies customer trust and builds the goodwill of the business which increases the chances of business success. Aside from the numerous benefits attached to data protection, every international business owner must recognize the need to comply with the provisions of GDPR and the EDPB Guidelines to escape costly legal sanctions.
Ololade is an Associate at Aes Triplex LP
ENDNOTES
- Data privacy definition by International association of privacy professionals https://iapp.org/about/what-is-privacy/
- Article 4 of the General Data Protection Regulation.
- Article 4(11) of the General Data Protection Regulation.
- Article 6, “Lawfulness of processing data”, General Data Protection Regulation.
- Recital 42, General Data Protection Regulation.
- 3.1.4, elements of valid consent, European Data Protection Board (EDPB) Guidelines on Consent under Regulation 2016/679 which was adopted on May 4 2020. See also Article 7(4) of the GDPR. The European Data Protection Board is an EU body at the center of the data protection landscape in the EU.
- 3.1.2, European Data Protection Board (EDPB) Guidelines on consent under Regulation.
- Planet 49 case, https://www.lexology.com/library/detail.aspx?g=cccd2dd8ef74-4f31-932d-43117fbb22c6
- Article 83 of the General Data Protection Regulation.
