Twitter has recently been found to be in breach of the law around internet cookies and was fined €30,000. Is this a warning for other websites? In Spain, the data protection authority, The AEPD, has fined Twitter, one of the most popular social media platforms in the world, €30,000 for failing to comply with laws on Cookies.
In its ruling, The AEPD stated that Twitter had not provided visitors with the option to specify what cookies they were accepting, and that they were only presented with an option to accept all cookies, with no option to reject cookies or provide a link to further manage cookie preferences. There were options within the website to tweak the cookie preferences however, the ruling made in Spain stated that this was not sufficient and now Twitter have one month to appeal the ruling.
This may be the most high-profile fine for a company ignoring rules on cookies, however it is not the first. In January the Belgian data protection authority issued a fine of 1% of an organisations annual turnover for non-compliance with the law on cookies as part of the GDPR and this was carried out on the Belgian DPA’s own initiative, not as part of a complaint from a data subject. It stated again that consent for each type of cookie is required, for example, having a separate box for marketing cookies and another box for your website preferences.
As time goes on, we will see more of these sorts of actions being taken by authorities across Europe against non-compliant websites and let me tell you, there are a lot of non-compliant websites out there. It has always been one of the first things I look into when I engage with a new client before physically going through the door to their offices, is to check their website for adequate privacy policies and cookie consent options, and most do not meet the basic standards required.
To reiterate some basic pointers to work towards, it is important for your website to have a cookies banner that allows what is known as “granulated consent”, which means having an option for the different types of cookies running on your website. You should also have an explanation for what each type of cookie does and how long cookies are stored for. Some are stored for just that browsing session, some are stored for longer. You do not need to ask for consent at each visit, however the ICO in The UK recommends that re-requesting consent at “suitable intervals” is done. It is important to note that the ICO considers that someone continuing to browse a website does not count as consent and you cannot set non-essential cookies before a user has consented to them.
My advice to anyone reading this, whether they are a small business owner, an employee at a start-up, a trustee for a charity or even people working at larger firms is this: Please look at your organisations website and if you do not think its compliant, please take corrective action or speak to someone that may be able to help you. The remedy will likely be cheaper than the punishment. Twitter may be able to take a €30,000 fine like a slap on the wrist, but can you?