Running afoul of privacy laws can cost your brand dearly. Consider the case of Vueling Airlines.
Vueling, the largest airline in Spain, was recently fined 30,000 euros by the Spanish Data Protection Authority for unlawful management of cookies on its website. The problem, as noted by the European Data Protection Board, is that users who visit the airline’s website lack the ability to configure the cookies that are installed on their computers – a big no-no under General Data Protection Regulation (GDPR) regulations.
The fine underscores how thorough GDPR law is and why businesses need a comprehensive approach to compliance. GDPR is a comprehensive law designed to protect privacy rights of European citizens by giving them more control over their personal data. GDPR affects any business that does business in the EU.
Why GDPR Law Is a Challenge for Businesses
GDPR compliance is complicated. A business can successfully comply with one element of GDPR but violate another. The European Data Protection Board points out that Vueling’s website got it right in some aspects of cookie law. Vueling informs users what cookies are and what cookies Vueling uses. Vueling also let users know that Vueling can use the information from cookies by itself or through third parties, and that Vueling might use third-party analytics cookies.
But according to the Spanish Data Protection Authority, Vueling fails to provide a cookie configuration panel that would allow the user to delete them in a granular way. Every cookie on the company’s site is configured in the user’s browser and begins tracking the user before the user accepts the cookie while browsing the site.
What Businesses Should Do
Businesses wanting to avoid the same fate as Vueling need to manage cookies carefully – for instance, pre-ticked boxes need to be unchecked for cookies as a user navigates the site. But cookie compliance is complicated. The UK Information Commissioner’s Office (ICO) provides an example of just how complicated consent rules can be under GDPR in this section of the ICO’s website. As you can see from just a brief glance, cookie compliance is not easy.
One point is clear: privacy laws are here to stay. And they’re only going to increase in scope. For instance, in January 2020, California, one of the world’s largest economies, will enact its own version of GDPR, the California Consumer Privacy Act (CCPA), thus ushering in another complicated set of evolving requirements.
Investis Digital Can Help You
Investis Digital began as a European-based technology services provider focused on the FTSE 350. From the beginning, we have held ourselves accountable to the very strongest of data and privacy protection governance models because that was what our clients demanded. When Investis Digital rolls out a new service we think about how we can embed privacy-by-design. It is for this reason that Investis Digital does not store sensitive data; nor do we sell even benign data to third parties. The need for such high standards of security and governance has always been a requirement of our clients, and this level of accountability has never been more important than it is today.
For questions, contact Investis Digital.