Realize business value from big data with Infosys data analytics solutions.

« Who should drive the GDPR Program? | Main | Given May 25 is round the corner, what do organizations need to do in view of GDPR? »


Posted by Rohan Kanungo (View Profile | View All Posts) | April 16, 2018 10:02 AM

(1) Use of cookies or similar technologies: Whenever you set cookies or similar technologies on a user´s equipment for marketing purposes, you need to obtain cookie consent. Cookie consent would need to be provided by all affected consumers. This is not safeguarded if different consumers use the same device once one consumer has provided consent and the cookie settings store this choice. However, this problem is difficult to overcome in practice.

Regarding the tracking/profiling also on third-party websites, the use of a cookie to track consumer´s behavior on third party websites before it enters your website cannot be legitimized with cookie consent only.

2) Collection and processing of consumer´s personal data: The most sensitive issue is the justification for the collection and processing of consumer´s personal data (such as consumer´s browsing habits in connection with its ID etc.).

Tracking/profiling through account: If you track consumers through their account we think that the profiling may be justified without explicit consent but based on customer's legitimate interests. You may argue that account holders are existing customer (where GDPR generally allows broader leeway. Aspects which need to be considered with the balancing of interests in our view:

  • Privacy intrusion is little when ads are merely shown on your website;
  • Personalization only relies on information gathered from your website (and not from third-party websites);
  • Consumer is an existing consumer and is informed about that tracking via the Privacy Policy; and
  • Consumer can also withdraw its cookie consent at any time to end the tracking (as it is usually emphasized in the Privacy/Cookie Policy)

Tracking/profiling through device:

  • Tracking/profiling restricted to your website: If you track consumers through their device on your website only, we think the collection/processing of personal data in relation to existing consumers (i.e. those with account) can still be based on legitimate interest. In relation to consumers without account, we do not think that the justification of legitimate interest will work. This issue is a dark grey area, requires a risk assessment and discussion with your DP team.
  • Tracking/profiling also on third-party websites: We do not think that the collection/processing of personal data on third party websites for marketing purposes can be based on legitimate interest alone. This tracking is very sensitive and would hardly be acknowledged as covered by legitimate interests that outweighs the privacy interests of the consumer by data protection authorities ("DPAs"). We recommend that at least the most sensitive part which is the collection /processing of personal data should be covered by a proper GDPR consent.


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.