28 Jan Cookies and Data Privacy

That’s the Way the [Computer] Cookie Crumbles: Computer Cookies and How it Affects Data Privacy

Websites nowadays are accompanied with a pop-up window that notifies the user that said websites use cookies for analytics, advertising, or optimal performance. It gives the user the option to consent to the use of cookies or to learn more about such cookies. Some notices would mention that it is pursuant to the General Data Protection Regulation (GDPR), a European Union (EU) regulation on the protection of consumer and personal information.

If one does not consent, the pop-up will remain, and the user may not be able to access the website. Most of the time, users will mindlessly give their consent in order to immediately access the website, without really understanding the consequences of such act.

Cookies are text files used by a website which are saved on a user’s computer they store the website’s name and an ID that would identify the user. Cookies can also store other information such as traffic data (i.e., the amount of time spent on a website) and content data (i.e., links clicked while using the website, the settings set on the website, the accounts logged into). These cause concern for private individuals and consumers.

There are several types of cookies, some of which are session cookie, persistent cookie, and third-party cookie. Session cookies are present only while a user is navigating a website and disappears when the user closes the web browser. This allows a website to remember a user when they navigate from one page to another within the website. These are typically used in online shopping.

Persistent cookies, also known as permanent cookies, are saved on a user’s computer until its expiration. It stores the information and settings of a website frequently visited and allows the website to remember the user and their preferences during his or her subsequent visits. These are used in remembering one’s preferences and login details in their web browsers. This is also why users see advertisements regarding products or services they have recently or frequently search.

Third-party cookies are those installed by third parties, such as advertising companies that manage the banner ads on websites, which collect certain data for research purposes such as consumer behavior, demographics, and the like.

When cookies stored in a device are able to uniquely identify a user through the device or combined with unique identifiers or other information received by the servers such as IP addresses, it is considered as personal information. This causes concern for those who value their privacy. This is where GDPR steps in and helps regulate the collecting and processing of such information.

The GDPR was enacted to balance the privacy rights of individuals with the rights of organizations and governments to collect and use data for business and administrative purposes by emphasizing on transparency, security, and accountability from data controllers such as the websites, which collect and process information on its users.

In order to comply with lawful processing as provided by the GDPR, websites must obtain the consent of the user for a specific purpose. However, this consent must be clearly, freely, and genuinely given as there is a presumption that the same was not freely given. As such, the act of merely visiting a website, without agreeing to the cookie policy of such website, cannot be considered as consent.

The GDPR took effect on May 25, 2018 and failure to comply with its regulations will result in fines up to Twenty Million Euros (€20 Million or equivalent to Php 121,478,000.00 as of the date of writing) or four percent (4%) of the website’s global annual turnover, whichever is higher. This is why pop-ups regarding the cookie policy of websites have been proliferating.

The Philippines, while not a signatory to the GDPR, provides for an extraterritoriality effect when personal information of users who are part of the EU are being processed when users’ behavior within the EU are being monitored by a controller or processor who is not part of EU.

The Philippines enacted Republic Act No. 10173, otherwise known as the “Data Privacy Act of 2012” (hereinafter DPA) is largely aligned with the GDPR. The DPA does not have a counterpart provision on cookies being used as an identifier, but the definition of personal information in Section 3(g) of RA 10173 is broad enough to include the use of cookies. Therefore, data processors or controllers who collect and/or process personal information in the Philippines may be found liable if they do not obtain the consent of its users. DPA provides penalties of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five Hundred Thousand Pesos (Php500,000.00) but not more than Two Million Pesos (Php2,000,000.00) on persons who process personal information without the consent of the data subject, or without being authorized under the DPA or any existing law.