The EU approach to consent differs slightly from the SA approach. Picture: 123RF/JONATHAN WELCH
The EU approach to consent differs slightly from the SA approach. Picture: 123RF/JONATHAN WELCH

European data-protection regulators kicked off 2021 with a fresh draft of e-privacy regulations, which appear to mix up the existing recipe in so far as consent to cookies is concerned.

The question is whether we in SA can gain any insight from this before July 1, the date when all entities will be expected to be compliant with the Protection of Personal information Act (Popia)? 

For the purposes of this article the focus will be on internet cookies and the effects the draft regulations may have once finalised. Internet cookies are  prevalent, but many internet users are unaware of their presence. However, if you’ve ever used a virtual shopping cart to make a purchase from your favourite online store you have undoubtedly encountered internet cookies. While cookies are often used for harmless website functionality, they are also used for more controversial activities such as tracking user activities.

A cookie is a tiny amount of data or small text file that is automatically collected and stored on a website user’s computer by the web browser while browsing a site. Cookies are the lifeblood of website navigation. They serve an essential function by allowing websites to identify users, remember certain information about them, and overall facilitate a far more user-friendly experience, which would otherwise be lacking but for the data collected in the form of a cookie.

For instance, when you shop online and add a particular item to your online shopping cart a cookie would help the website remember what items you had in the cart. Without this online shopping would prove a difficult and frustrating exercise. In essence then, cookies serve a vital purpose. Cookies that serve such a purpose are often referred to as functional or performance cookies.

However, cookies are also used as a part of large browser tracking schemes that create extremely detailed user profiles. Many websites use third-party ad networks that span multiple sites. This allows central data aggregators to track user activity across many different domains. Cookies are not specifically used to handle this tracking, but they do play a central role in enabling the tracking of a user.

Some people consider this constant activity tracking to be a form of privacy invasion. Others do not mind it at all. However, from a data protection perspective the privacy concerns associated with cookies collecting users’ information without them even being aware of it, do bring to the fore privacy concerns and have in fact led to regulatory intervention, at least in the EU.

Cookies are dealt with in similar fashion across legal jurisdictions in the sense that a user’s consent is required before collecting the data (or being served cookies). Therefore, private and public entities are required to notify web users that the website serves cookies and also provide written statements as to what it intends to do with the type of data or information collected. Importantly, however, the exact type of consent required for the purposes of cookies, and exactly how that consent is obtained, tends to differ from jurisdiction to jurisdiction.

The EU approach to consent now differs slightly from the SA approach. There, the requirements for consent now in force as per article 4 (11) of the General Data Protection Regulation (GDPR) are that consent must be freely given, specific, informed, unambiguous, given by statement or an affirmative act, as well as signify agreement to the processing of personal information.

In contrast, the SA definition of consent according to section 1 of Popia is that consent is any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. However, in contrast to the GDPR, as it stands Popia does not actually require the consent to be unambiguous nor to be done by an affirmative act.

From an SA perspective, Popia will require websites to be clear as to what personal information they collect and for what purpose, how such personal information will be used, and how a data subject can ask for the personal information to be deleted or for no further personal information to be collected. The natural place to communicate this is in a privacy policy or terms of service document. This ought to be — at a minimum — linked to the consent dialogue text.

Websites should reflect their actual use of cookies and it might look something like this: “This site uses cookies to help us understand user behaviour. This means we put a small piece of text (the ‘cookie’) in storage on your web browser. This cookie lets us know all the different things you do on our site. We do not collect your personal information. The only information we have about your identity is the information you explicitly provide to us through submission forms on our website. We do not sell any personal information to any third parties. We do analyse user behaviour in order to better serve you and other visitors. Tracking your activity through our site (what you click on, how long you stay) helps us make better decisions about content and design.”

• Burger-Smidt is director and head of data privacy practice at Werksmans Attorneys.


Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.