Cookies are useful to the website owner in that they allow a website to recognise a user’s device and collect additional useful information to facilitate efficiency. Without cookies or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.
The right to privacy is enshrined in Article 31 of the Kenyan Constitution which informs the provisions of the Kenyan Data Protection Act, 2019. Without getting too technical, cookies are text files with small pieces of data, some of which is classified as personal information under the Act. For instance, details relating to the user’s username and password are collected to identify your computer as you use a computer network. Cookies can also generally be easily viewed and deleted.
Cookies are the primary tool used by advertisers to track a user’s online activity, profile and target them with highly specific ads. It is important to note that not all cookies are used in a way that could identify users, but the majority are and will be subject to the Data Protection and Privacy laws. Consumer protection laws are also applicable.
The risk associated with cyber-attacks, in that cyber attackers can hijack cookies and enable access to browsing sessions and track a user’s browsing history, places an obligation on the website owner to ensure that they apply certain safeguards while collecting or processing the personal information collected. Failure to demonstrate this, in case of an attack, may land them into problems with the Privacy Regulator who may subject them to heavy fines and penalties in accordance with the Act.
Classification of Cookies
Given the different classification of cookies based on what purpose they serve, how long they endure and their source, the website owner ought to observe the principle of transparency as envisaged in the Act and notify the user which ones are essential for the functioning of the website before offering a choice to accept or reject.
The Regulatory Framework around cookies
Notably, whilst a single information element may not be personal data on its own, the combination of multiple elements makes it more likely that the information will constitute personal data. This is particularly the case when the information enables you to single out, make inferences or take specific actions in relation to users (such as identifying them over time or across multiple devices and websites, even if you do not know the name of those users).
Many Cookies Policies also describe, in simple terms, what cookies are. This definition should be easily understandable by anyone who reads it. A good Cookies Policy might also list the different types of cookies that are used by the website, such as site performance cookies, registration cookies and advertising cookies. It is important to note that this level of detail is not required but can still be largely helpful and informative for the users.
Cookie consent is a cornerstone of compliance for websites. This is because one of the most common ways for personal data to be collected and shared online is through website cookies.
To comply with the regulations governing cookies one must:
- Receive users’ consent before you use any cookies except strictly necessary cookies like those that aid in preventing fraud or illegal activities, wherein the controller can rely on legitimate interest.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Allow users to access your service even if they refuse to allow the use of certain cookies.
Use of cookie walls
As highlighted above, consent, once granted by the data subject, ticks the compliance box by the website owner. This has led many website owners to provide a mandatory one off opt in to all the bundled cookies, as in, take or miss out approach while designing the user opt in. If the user does not opt in, they are unable to access the contents of the site. This is commonly referred to as use of “cookie walls.”
Data subject rights
- Right to be forgotten (erasure) -the controller must make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. Provide a clear opt-out;
- Right of access to personal information collected by the controller relating to them.
- Right to rectification of any inaccurate personal information.
- Right to data portability emanating from the right to receive personal data relating to them. The controller is required to, upon request, transmit this data to another controller without hinderance.
- Right to object to processing of any personal information relating to them like for direct marketing purposes.
- Right to restrict processing for instance where the data subject claims that the processing is unlawful or does not want to exercise their right to erasure due to contested accuracy of information or to use the information for a legal claim.
- Right not to be subject to automated individual decision-making including profiling which produces significantly affects them.
Between working remotely, spending more time at home this year, and businesses across many industries shifting entirely to digital, users are online more now than ever. This means we are also seeing more “accept cookies” banners—a bug on the Internet’s windshield and an eyesore we hurriedly click “yes” to so we can see what we came to a site to check out. Cookies have become a complex yet valuable tool for most businesses, but it can be easy to rely too heavily on them and jeopardize users’ privacy.