As a company’s online shop window, it is now practically unthinkable to do without a website, given the importance of the business stakes involved. But while these sites offer companies unique visibility and are so practical, we should not forget that they are first and foremost dedicated to users, and to achieve most objectives, particularly marketing objectives, companies need to use as much information as possible about traffic and site use, and consequently process personal data.
With tracking, advertising, cookies, tracers, and pixels being deposited on websites and many players able to capture data, websites are one of the primary sources of risk when it comes to privacy breaches. The stakes are all the higher because websites can be used as a benchmark by their future customers and users to assess the compliance of the organization that publishes them and can even be directly inspected by the data protection authorities to verify compliance (particularly on cookie management).
To ensure that a website complies with data protection rules and with the General Data Protection Regulation (or GDPR), the publisher must, in particular, ensure that :
It provides a framework for the deposit of cookies and tracers by obtaining the consent of users and providing specific information on the subject
It provides complete information on how personal data collected on the site are processed using a confidentiality policy and specific information notices
It provides a framework for data collection forms and obtains user consent for data processing based on these forms
It implements appropriate security measures to ensure adequate security for personal data
The management of cookies and trackers
Cookies (or trackers, pixels, etc.) are the lifeblood of online privacy protection. The CNIL’s work on the subject (deliberations, guidelines, controls, etc.) bears witness to this.
Cookies are small files deposited on visitors’ terminals (computer, smartphone, tablet, etc.) when visiting a website or mobile application. These cookies can measure the site’s audience, record information such as the language used, the shopping basket, or the user’s login details, track the user’s browsing habits, provide targeted advertising, or geolocate the user.
It is essential to pay particular attention to this and to ensure that you are technically and legally in control of their use.
All website users must be informed that cookies are being stored on their terminals and give their prior consent to their storage where this requirement applies.
Informing the user of the deposit of cookies
All legal notices must be provided in compliance with the obligations relating to the form in which the information is presented, i.e., in a concise, transparent, understandable, and easily accessible manner, using clear and straightforward terms.
To ensure compliance with these requirements, the CNIL recommends that information be provided on two levels.
Its owner (cookie publisher/third party)
Its purpose (what it enables and the information it provides)
How long it is kept
Its qualification to determine whether or not the visitor’s consent is required for it to be deposited
Obtaining prior consent to the deposit of cookies
The cookies “banner” mentioned above should serve two purposes: the first is to provide initial information to website users, and the second is to allow them to choose whether or not to accept the deposit of cookies on their terminal or even to select the categories of cookies they accept and those they reject.
According to the CNIL, the french data protection authority, cookies are divided into two categories: those that require the user’s prior consent to be deposited and those that are exempt (cookies that are strictly necessary for the operation of the site or the provision of the service).
Exempted cookies and trackers
Cookies and tracers subject to prior consent
Retain the choice expressed by users on the deposit of cookies
Authenticate the user to a service (including those intended to ensure the security of the authentication mechanism)
Remember the contents of a shopping basket
Customize the user interface (e.g., choice of language or presentation of service) when this customization is an intrinsic and expected element of the service
Allow load balancing of the equipment involved in the communication service
Allow paying sites to limit free access to a sample of content requested by users
Allow audience measurement (under certain conditions)
Allow personalized or non-personalized advertising
Allow sharing functionalities on social networks
When first connecting to the website, users should see the banner appear, and be able, with one click, to choose to accept or refuse all of them or to choose on a case-by-case basis. Since any consent collection must be proven at the authority’s request, the CNIL considers it good practice to keep this proof for 6 months.
Finally, you will need to check the tools you use that are likely to deposit cookies on your site to ensure that they enable you to comply with the applicable regulations.
Information management through a confidentiality policy
Because personal data is now a priority and intrinsically linked to every individual browsing the Internet, awareness of the need to protect it has, at the same time, made it imperative for website publishers to ensure that all mandatory information is transmitted.
So if your website is to respect the personal data and privacy of Internet users, it must provide, via simple and permanent access, information that is as transparent as possible about how the data is used.
In most cases, using your website involves collecting personal data from visitors or users, for example, by collecting their login details when they create an account or their contact details if they subscribe to a newsletter.
The GDPR requires data subjects to be informed of the following:
The identity of the data controller and the contact details of your DPO if one has been appointed
The legal basis for data processing
The purposes and objectives of data collection and processing
The recipients or categories of recipients of the data (data controller, subcontractor, technical service providers, etc.)
Transfers or the absence of transfers of data outside the European Union
Data retention periods
The rights of the persons concerned (such as access, rectification, deletion, opposition, erasure) and the effective means of exercising them (by e-mail, by post, or via integrated functionalities)
The right to complain with the supervisory authority (in France, the CNIL)
Whether or not the provision of personal data is compulsory, and the possible consequences of not providing this data.
Other information must be provided in the event of indirect collection. This covers:
The categories of personal data concerned
The source of the data
These disclosures must be reviewed and updated whenever there is any change in how personal data is processed. Such updates may require new information to be provided to individuals or new consent to be obtained where this legal basis applies.
What are the rights of the persons concerned by data Processing ?
Supervision of data collection forms and collection of user consent for processing on this basis
In addition to collecting data by depositing cookies, your website may collect data directly from the user in various ways depending on the use, mainly via a contact form, an account creation form, a newsletter registration form, etc.
In these cases, specific rules must be respected to ensure compliance with the GDPR.
Only information that is strictly necessary to achieve the purpose of the collection should be requested: for example, to subscribe to a newsletter, the only information required is the user’s e-mail address.
To obtain more information, you must specify which information is compulsory and which is optional, using an asterisk.
Suppose certain information is collected via a free-field box. In that case, you must warn the user not to provide sensitive information to spare you from certain additional obligations and to limit your need to moderate the information in your databases.
Each data collection must also offer a means of obtaining the user’s consent where this legal basis applies. This consent must be obtained in an accessible, specific, informed, and unambiguous manner, and there must be no doubt as to the individual’s true intention to consent to the processing of their data.
This is referred to as two-tier information:
Implementation of appropriate security measures
All website publishers must ensure that the data they collect and transmit is secure. This involves implementing appropriate security measures that take account of the risks involved.
The CNIL recommends several actions to be taken, including:
Implement the TLS protocol
Use TLS for all authentication pages, forms, and all pages for displaying and transmitting personal data
Restrict the communication ports strictly necessary for the correct operation of the applications
Restrict access to interfaces and tools to authorized persons only
Restrict the number of components used and update them regularly.
In addition to these recommendations, the CNIL draws attention to the need not to transmit personal data in a URL, to use secure services, not to use servers as workstations, not to use generic accounts, and above all, not to place databases on a server that can be accessed directly via the Internet.
By complying with these obligations, you are meeting the requirements of the GDPR and the directives of the CNIL in terms of transparency and security, and you are instilling confidence in the visitors and users of your site, which can only be beneficial to your business.