1. COMPLIANCE ANALYSIS PREMISES
Articles 13 and 14 of the GDPR explain all the information we have to give to the individual persons when we collect their personal information or shortly after we have come into their possession in an indirect way. In order to clarify this, the Article 29 Working Group (WP29) published in November 2017 a guide dedicated to transparency policies, reviewed on April 2018.
1.2. TERMS & CONDITIONS
Another aspect of transparency, this time not just for personal data, is the presence of the page that describes the Terms and Conditions for using the site for visitors. The Terms and Conditions Webpage should represent the agreement by which the users of the site are informed about the rules, terms and regulations they must follow. Although not imposed by GDPR, the Terms and Conditions page may retain the rights to exclude certain users who may create abusive issues on the site or not comply with the rules set.
Usually, there are five reasons why a Terms and Conditions page is required:
- Abuse prevention – in the case of problems related to spamming, abusive behaviour, uncontrolled activities that can lead to defamation reactions. Without the Terms and Conditions, there is no authority to suspend or prohibit users from displaying problematic trends.
- Content protection – any site owner holds the logo, content and design of the site. The Terms and Conditions inform users of this fact and prevent the diversion of intellectual property.
- The right to cancel the accounts – while the termination may be implicit in other clauses, a distinct right highlighted in the Terms and Conditions for cancelling the accounts is better.
- Limitation of liability – The terms and conditions also limit the causes of actions that users may try to use against the site. These limits on liability may address errors in content or shutdown of the system. Basically, the terms explain that users take these risks when they register on the site and you cannot be held responsible for any losses they incur in these events.
Applicable legal notice – If the company is located in Romania, it is doubtful that you want to participate in an arbitration procedure in California or Singapore. Here is the section on the applicable law: the competence of the terms is stated and the place where any dispute settlement takes place.
1.3. COOKIES POLICY
At present, there is no dedicated legislation in the European Union that exclusively concerns the Cookies policy. There is a set of laws, recommendations and considerations that address how cookies can be used. They apply to all Member States of the European Union, and websites outside the EU must align to this if they are addressed to people in the Member States. In the absence of explicit legislation, the conditions of use for cookies are regulated by the Directive no. 58/2002, updated in 2009 known as “ePrivacy”, which is transposed in Romania by Law 506 of 2004, updated by Law 235 of 2015, regarding the processing of personal data and the protection of privacy in the electronic communications sector.
What ePrivacy says about Cookies – Article 5 (3) of ePrivacy requires prior informed consent regarding the storage or access to information stored on the user’s terminal equipment. In other words, users should be asked if they agree with most cookies and similar technologies (for example, web beacons, Flash cookies, etc.), and their consent must be obtained before the site begins to use them.
- Why cookies are used (to remind users actions, identify users, collect traffic information, etc.)
- Whether cookies are essential for the operation of the website or for certain functionality or if it is aimed at improving the performance of the website
- The types of cookies used (for example, session or permanent, first or a third party) that control/access the information regarding the cookies (site or a third party)
- That these cookies will not be used other purposes than those indicated
- How users can withdraw cookies consent.
What the GDPR says about Cookies – The main cause of the inconsistencies related to the Cookies Policy is that EU Regulation 679/ 2016 considers IP identifiers as personal data, which Directive 58 did not provide. This makes the site owners have to have a big headache in addition to ensuring compliance requirements for the acquisition and retention of IPs.
In GDPR, the only place where cookies are explicitly mentioned is Recital 30 which states: “Individuals may be associated with the online identifiers provided by their devices, applications, tools and protocols, such as IP addresses, cookie identifiers or others. Identifiers such as radio frequency identification tags. They can leave traces that, especially when combined with unique identifiers and other information received by servers, can be used to create profiles of individuals and to identify them.”
The idea is relatively simple: cookies can be used to uniquely identify a person, so they should be treated as personal data. It will affect those identifiers used for analysis, advertising, but also for those used for functional services such as chats and surveys.
What needs to be changed? – Users must be able to CHOOSE. Browsing a website does not mean that I agree with all the cookies. The type of phrase used at the moment is barely informative and, of course, does not offer a choice. Anyone who owns the site will not be able to force users to accept cookies in exchange for access to information.
Like any other consent under the GDPR, consent for cookies must be a clear AFFIRMATIVE action. An example is to click on a sign-in box or choose menu settings. Users must be careful not to have pre-checked boxes on the consent form!
1.4. PERSONAL DATA PROCESSING NOTES
The GDPR sets higher standards for obtaining consent than previous legislation. Individuals need to understand clearly and unequivocally what they agree to – so notifications need to be simply articulated and specific – and the agreement must be given in the form of a clear affirmative action by the data subject. In practical terms, this means asking for a positive “opt-in” and also means that the use of pre-checked boxes should not be used.
2. METHODOLOGICAL ASPECTS
The compliance analysis of the GDPR policies on the Internet pages consisted of studying a sufficiently large number of sites to meet the optimal conditions for statistical analysis, on a sample as representative as possible.
The compliance study was based on two types of analysis:
– A detailed, quantitative-qualitative analysis of the presence and quality of the content of public policies, taking into account the minimum mandatory information that must appear in these declarations of conformity.
2.1. QUALITATIVE ANALYSIS
The research sample consists of about 450 sites, chosen on different criteria such as:
- ACUITY – a sufficient number of sites are needed to ensure good quality statistical processing;
- REPRESENTATIVENESS – the sites belong to public and private companies from different areas of activity, so that the results can be considered as covering for all verticals;
- LEADERSHIP – for each of the activity areas considered, the companies that were noted for the results obtained were selected. The 100 companies from the Top Profitability analyzed in the Detailed Study are also included in this analysis;
- RESPONSIBILITY – were followed sites from all areas that may involve an increased level of responsibility by appointing a DPO or the obligation to carry out an impact analysis – according to the list of activities presented in Decision 174 October 2018, Art. 1, Alin a – g.
The qualitative analysis was based on the evaluation of the content published on the sites of the studied sample, based on analysis criteria, to which different weights were assigned, depending on the importance of the aspect pursued.
2.2. IN-DEPTH ANALYSIS
The research sample consists of about 150 sites, chosen on the criteria of belonging to the Top 100 companies in Romania after Profitability for 2017, realized and published by Capital magazine, based on the results declared at the Trade Register ( Capital magazine, EXCLUSIVE TOP 100 the most profitable companies in Romania, July 2018). Another 50 sites were selected based on business results criteria, according to the results presented at the Trade Register.
The purpose, easy to guess, of the GDPR Ready Analysis, is to see to what extent the top companies in Romania have found the resources necessary to ensure the alignment of the new Regulation 679/2016, and the web pages containing the public policies of the organization represent the most eloquent business card for the state of compliance where a top company is located.
The detailed analysis was based on the evaluation of the content published on the websites of the studied sample, based on analysis criteria, to which different weights were assigned, depending on the importance of the aspect pursued. Part of these criteria, regarding the presence on the site of the different policies and the form of presentation, content, accessibility and format of the cookie bar are the same as those used in the qualitative analysis. The differences appear in the specific analysis for each of the policies (Confidentiality, Terms & Conditions, Cookies), wherein the used benchmark has been considered all the mandatory criteria by which the data subjects are informed of the way their personal data are processed, as it is clearly shown in Articles 13 and 14 of the GDPR.
3. MAIN RESEARCH RESULTS
Here is a brief rendering of the results obtained from the two types of analysis
3.1. QUALITATIVE ANALYSIS RESULTS
One of the objectives of this analysis, which studied 450 sites, was the general evaluation of the presence of public policies on the website. The six types of policies studied were analysed from the perspective of the presence on the websites, the criteria of appreciation being the presence, the absence and the presence partially or incomplete – for example, the specific notifications of a policy are described on pages other than those dedicated. What is to be emphasized here?
- 31% do not have such a policy, so they do not comply with the principle of transparency regarding the protection of personal data
- Only 40% of sites have a Terms & Conditions page, although it should be found on any public site and not directly related to GDPR.
- 79% of the sites do not have a confidentiality note although they collect personal data from the site
- Only 8% of the sites offer the possibility of downloading forms for access requests to personal data.
- Only 55% of sites offer a mailing address for GDPR issues, whether they have a dedicated DPO or not.
Figure 1: PRESENCE OF THE WEBSITE POLICY
The analysis of the industrial verticals gives us an overview of the areas of activity in which there are concerns related to updating the public policies on the website. For the histogram of the analysis for the main industries verticals, an average of the percentage of compliance for all the sites belonging to the respective industry were chosen.
Some comments on the results:
- The highest level of compliance can be found in the utilities, telco, retail – hypermarket, pharmaceutical & cosmetics, and the automotive industries.
- On the opposite side, and this is quite sad, there are areas that by the nature of their activity are obliged to have a DPO: public administration (town halls), education (schools, colleges, universities), healthcare (hospitals, clinics) and government (ministries and supervised organizations)
- A surprisingly low compliance average of 36% was found for companies in the IT industry, which had a fairly large research population (121 sites).
Figure 2: TOP VERTICAL AVERAGE VALUES FOR INDUSTRY
3.2. IN-DEPTH ANALYSIS RESULTS
A general appreciation for the 150 sites studied in detail refers to the presence of policies cumulated with criteria of visibility, accessibility and content of policies. Compliance level is rated as a percentage and classified as Low (below 25%), Medium (25% – 75%) and Good (over 75%)
While 4% of the organizations analysed do not have a functional website, 13% have no policies, 14% have poor compliance, 53% average and only 17% have a satisfactory level of compliance.
Figure 3: GENERAL APPRECIATION
Another objective of the detailed analysis was the policy evaluation of the compliance criteria presented in the methodology chapter:
Regarding the pages dedicated to the Terms and Conditions, only 14% have a satisfactory level of compliance, 42% a medium level, 25% poor compliance, and 19% have no place Terms and Conditions.
When analysing the Cookies Policy, it appears that only 3% of the sites have an acceptable level of compliance, 33% an average one, 44% an unsatisfactory one, and 23% of the sites do not have cookies.
Finally, the 114 sites that have cookies, were analysed from the perspective of compliance with the GDPR rules for obtaining consent, the way of displaying and the content of the cookie bars, the presence or not of predefined acceptance boxes, as well as the presence of a box of REJECT next to the one of ACCEPT. The results are summarized in Figure 5.
Figure 5: COOKIES BAR CONFORMITY
4. MOST FREQUENT MISTAKES
Among the most common mistakes encountered during this Compliance Review are:
- The omission of the description of rights, mandatory in any information of the data subjects
- Missing / Not updating Terms & Conditions page
- The presence of a granular menu for accepting the different categories of cookies with Prefixed boxes
- The cookie bar is placed in such a way that it hides the presence of the other policies, usually at the bottom of the site.
The lack of concerns regarding the publication or updating of the Public Policies on the Website can be a worrying finding and a transparent x-ray of how Romanian organizations are willing to invest in aligning with the GDPR.
The presence of these site policies represents a business card, a public statement of the company’s concerns for compliance and accountability.
The public policies on the website represent only the visible part of what can be called a GDPR compliance project. It is hard to believe that an organization that is not concerned with its public image can approach an acceptable level of compliance with internally applied processes, procedures and policies.