Why do I have to mention cookies in my company’s privacy policy?

When users visit a website, that website downloads and collects pieces of data known as “cookies”. Cookies can help with marketing via tracking individuals’ behaviour once they leave the website. Information like user’s identity, webpages visited, language and/or display preference, transactions performed and items purchased are often collected and recorded. Cookies also help to track the customers’ behaviour when they return to the same website. The main goal of using cookies is to recognise the users’ trends and thereby streamline their interaction with the website.

However, tracking users’ online behaviour often leads to concerns due to various reasons:

  • Website users’ browsing habits or information are often collected by website owners or operators without consent or knowledge.
  • Website users’ browsing habits or information may be collected by third parties without consent or knowledge.
  • The information collected may be transferred by the website owners or operators or a third party to other parties without consent or knowledge.
  • Website users’ information collected from one website may be combined with those collected from other websites or sources, and then their profiles are built without their knowledge.
  • The purpose of collecting the website users’ information is not made clear to them or they are not informed of the option to opt-out.

Does behavioural information collected through cookies constitute personal data?

To constitute personal data, the behavioural information should (a) directly/indirectly relate to a living individual; (b) the identity of the individual can be ascertained directly/indirectly; and (c) the information can be accessed/processed in the same form. 

What actions should the organizations take when tracking online behaviour by using cookies?

As an organization, if your tracking online behaviour by using cookies and that involves collection of personal data of the users then you must comply with data protection principles as set out in the PDPO. To understand the 6 Data Protection Principles, read here In Hong Kong, what personal data is subject to privacy regulations? What are the rules for processing personal data?”

In addition, you need to explicitly mention the cookies and the types of information stored in the cookies in your company’s privacy policy because the users of your website need to provide consent to the cookies tracking their behaviour. The website users’ acceptance can be mandatory or voluntary:

  1. If it is mandatory, your website should clearly state what types of information are collected by the cookies, who the information may be transferred to and the purposes of transferring the information.
  2. If it is voluntary, you should provide the website users with clear information regarding the consequences of not accepting the cookies, e.g. it may affect the website’s proper functioning. Nevertheless, you can set up another website with lesser functionalities for redirection for users who choose not to accept the cookies.

It is also better for you to follow three additional best practices when you use cookies to collect website users’ behavioural information:

  1. Set a reasonable expiry date for the cookies beforehand;
  2. Whenever appropriate, encrypt the contents of the cookies; and
  3. Do not deploy techniques like Zombie, Flash or Super Cookies 8 that ignore website users’ browser settings on cookies unless your company can offer an option of disabling or rejecting such cookies to the website users.

The European Union’s ePrivacy Directive requires websites to provide cookie consent pop-ups to address the issues on the tracking of internet users and the confidentiality of electronic communications. Although the Directive is a European Union law, it may apply to your company as the users visiting your website can be in the European Union. If you want to ensure whether your company needs to be compliant with any European Union law, you should consult a lawyer.

Key takeaways
  • Cookies help with marketing by tracking individuals’ online behaviour.
  • It is important to mention cookies in your company’s privacy policy because the users of your website need to give consent to the cookies tracking their behaviour.
  • It is also important to take three additional steps when collecting website users’ behavioural information:
  1. Set an expiry date for the cookies;
  2. Encrypt the cookies’ contents; and
  3. Do not deploy techniques that ignore website users’ browsing settings on cookies.
  • If you are unclear whether your company needs to be compliant with European Union law on cookies, you should consult a lawyer.

Bibliography:

  1. Office of the Privacy Commissioner for Personal Data, ‘PCPD in Media’: https://www.pcpd.org.hk/english/news_events/newspaper/newspaper_201911.html
  2. Office of the Privacy Commissioner for Personal Data, ‘Online Behavioural Tracking’: https://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf
  3. Office of the Privacy Commissioner for Personal Data, ‘Guidance for Data Users on the Collection and Use of Personal Data through the Internet’: https://www.pcpd.org.hk/english/publications/files/guidance_internet_e.pdf
  4. GDPR.EU, ‘Cookies, the GDPR, and the ePrivacy Directive’: https://gdpr.eu/cookies/