AHMORE BURGER-SMIDT: Cookies might be harmless, but they need your consent
SA's internet-privacy laws kick in on July 1, and websites will have to comply
European data-protection regulators kicked off 2021 with a fresh draft of e-privacy regulations, which appear to mix up the existing recipe in so far as consent to cookies is concerned.
The question is whether we in SA can gain any insight from this before July 1, the date when all entities will be expected to be compliant with the Protection of Personal information Act (Popia)?
For the purposes of this article the focus will be on internet cookies and the effects the draft regulations may have once finalised. Internet cookies are prevalent, but many internet users are unaware of their presence. However, if you’ve ever used a virtual shopping cart to make a purchase from your favourite online store you have undoubtedly encountered internet cookies. While cookies are often used for harmless website functionality, they are also used for more controversial activities such as tracking user activities.
A cookie is a tiny amount of data or small text file that is automatically collected and stored on a website user’s computer by the web browser while browsing a site. Cookies are the lifeblood of website navigation. They serve an essential function by allowing websites to identify users, remember certain information about them, and overall facilitate a far more user-friendly experience, which would otherwise be lacking but for the data collected in the form of a cookie.
For instance, when you shop online and add a particular item to your online shopping cart a cookie would help the website remember what items you had in the cart. Without this online shopping would prove a difficult and frustrating exercise. In essence then, cookies serve a vital purpose. Cookies that serve such a purpose are often referred to as functional or performance cookies.
However, cookies are also used as a part of large browser tracking schemes that create extremely detailed user profiles. Many websites use third-party ad networks that span multiple sites. This allows central data aggregators to track user activity across many different domains. Cookies are not specifically used to handle this tracking, but they do play a central role in enabling the tracking of a user.
Some people consider this constant activity tracking to be a form of privacy invasion. Others do not mind it at all. However, from a data protection perspective the privacy concerns associated with cookies collecting users’ information without them even being aware of it, do bring to the fore privacy concerns and have in fact led to regulatory intervention, at least in the EU.
Cookies are dealt with in similar fashion across legal jurisdictions in the sense that a user’s consent is required before collecting the data (or being served cookies). Therefore, private and public entities are required to notify web users that the website serves cookies and also provide written statements as to what it intends to do with the type of data or information collected. Importantly, however, the exact type of consent required for the purposes of cookies, and exactly how that consent is obtained, tends to differ from jurisdiction to jurisdiction.
The EU approach to consent now differs slightly from the SA approach. There, the requirements for consent now in force as per article 4 (11) of the General Data Protection Regulation (GDPR) are that consent must be freely given, specific, informed, unambiguous, given by statement or an affirmative act, as well as signify agreement to the processing of personal information.
In contrast, the SA definition of consent according to section 1 of Popia is that consent is any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. However, in contrast to the GDPR, as it stands Popia does not actually require the consent to be unambiguous nor to be done by an affirmative act.
• Burger-Smidt is director and head of data privacy practice at Werksmans Attorneys.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.