Why Every Business must have a Cookie Policy

The internet is central to the way business is done today. The impacts of our online actions are often indirect and complex. The tech industry is full of good intentions, which sometimes backfire. One such innovation is HTTP cookies, invented by computer programmer Louis Montulli in 1994. Here is a look at why organizations need to be extra careful about how they use cookies.

Understanding cookies

HTTP cookies are small snippets of information. They are saved as data on an internet user’s computer. Browsers such as Chrome and Firefox save cookies as and when requested by websites. Cookies help sites track users’ browsing and shopping history. Cookies also help save and recall passwords, card numbers, and other key info. There are many kinds of cookies which perform different functions. For example authentication cookies allow web servers to determine if a user is logged in. Without cookies users would simply not be able to get into their emails or online bank accounts.

The security of cookies depends on the security of the website providing them. This is called encryption. Insufficient or improper encryption makes data vulnerable to hacking by cybercriminals.

Google breaks French cookie law

In December 2020 the Commission Nationale de l’informatique et des libertés (CNIL) imposed a fine of EUR 100 million on Google LLC (EUR 60 million) and Google Ireland Limited (EUR 40 million). The reason was, “having placed advertising cookies on the computers of users of the search engine, without obtaining prior consent and without providing adequate information.” The committee claimed that Google had breached the French Data Protection Act. Specifically, the CNIL accused Google of:

  • Depositing cookies without obtaining prior consent of users
  • Lack of information provided to users
  • Failure of Google’s “opposition” mechanism to allow users to completely deactivate ad personalization on Google search

The committee noted that the breaches affected nearly 50 million users. The CNIL ordered both companies to change the information banners on their websites within 3 months. Failure to do so would attract an additional EUR 100,000 fine daily. This was the biggest financial penalty ever imposed by CNIL.

Repeat infringements

Google objected to the fines. However, this was not the first infringement. In 2014 the CNIL had imposed a fine of EUR 150,000 on Google for not complying with privacy guidelines. It was the CNIL’s highest possible fine at that time. In 2016 Google was again fined EUR 100,000 for breaching the EU’s “right to be forgotten” rule. The rule allows individuals to ask that references to them not be included in search results. In January 2019 the CNIL fined Google EUR 50 million “for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.”

Digital security policy – EU and US

Many tech entrepreneurs in Silicon Valley and in Europe are migrants. They regularly send remittances back to their home countries via the Ria Money Transfer App and similar channels. It is important for them to stay current with the digital security regulations. Several changes have occurred in the cybersecurity and privacy policies of the EU and the US over the past few years. Notable data protection laws in the EU include the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive). These came into effect in 2018. The European Union Agency for Cybersecurity ENISA oversees the EU’s cybersecurity operations.

In 2018 the US Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). It empowers law enforcement agencies to collect personal data from tech firms even if such data are stored abroad. In November 2018 Trump signed the Cybersecurity and Infrastructure Security Agency (CISA) Act into law. The legislation established the CISA as the nation’s official cybersecurity watchdog.

More recently the EU has put forward a number of documents that articulate its cybersecurity plans. In December 2020 the EU unveiled a new policy titled The EU’s Cybersecurity Strategy for the Digital Decade.” Implementation of the strategy is aimed to “contribute to a cyber-secure digital decade for the EU, to the achievement of a Security Union, and the strengthening of the EU’s position globally.” The new strategy is part of broader measures aimed at articulating a vision for the EU’s digital future. In September 2018 Trump announced a US version tagged ‘National Cyber Strategy of the United States of America’.

Stay sharp

Most developed countries now take digital security very seriously. Knowing the current policy and complying with it is important. The penalty for not doing so is hefty fines, or worse.

Post Comment