The tracking function of cookies has led to widespread concerns about violations of personal privacy and disclosure of personal information. In this way, it is necessary for government to pay more attention to the legal regulation of cookies.
General Data Protection Regulation (GDPR), issued in January, 2017, by the European Commission, has brought revolutionary changes to personal data protection. GDPR has replaced the E-Privacy (2009) and greatly expanded the definition of personal data, which not only includes general information such as name, address, ID number and IP address, but also finger prints, religious beliefs and more. In addition, authorisation must be obtained by companies or organisations from users before collecting or using personal data. In addition, companies face high fines, if violating, of up to a maximum of €20 million, or 4 percent of the company’s global income, whichever is higher. This is the reason why GDPR is known as the most stringent data protection law in history.
In general, cookies are clearly defined as personal data by multiple legislations, and are protected accordingly, while the discussion of whether a cookie belongs to personal information has been ongoing for many years in China since a landmark legal precedent was estabished.
The Baidu Cookie Case
In this controversy case, the plaintiff believed that Baidu Company had, without permission, recorded and tracked searched keywords that revealed hobbies and other relevant characteristics on the websites, and claimed that such action by Baidu had infringed their privacy rights. However, the argument was rejected by the appeal court, based on the opinion that cookies do not belong to personal data.
Fortunately, the Cyber Security Law of PRC (hereinafter referred to as the Cyber Security Law), issued on December 29, 2017, stated two aspects that should be taken into consideration to determine whether cookies belong to personal information; whether the information can be related to a particular individual and information that the particular individual produces going about his or her activities. Meeting one of the aforementioned criteria shall be judged as personal information.
As discussed, under the current state of play, it is easy to track cached information, such as a user’s website browsing record, combined with terminal device information, account information, all of which can easily identify a specific individual and may be recognised as personal information.
In the absence of special and detailed rules regarding cookies, the collection, use and any treatment thereof shall comply with the general requirements in the Cyber Security Law and other relevant laws, regulations and national standards. As we can see, these requirements mainly include obtaining the consent of the user when collecting personal information, as well as following the principles of legality. In addition, clearly indicating the purpose, manner and scope of collection or use of the information is a requirement.
At the same time, any personal information collected must not be disclosed or destroyed or provided to others without the consent of the collector and users.
As for us individuals, we might feel frustration because we have no choice but to use websites every day and have our actions recorded. That which is suggested is to improve our awareness and sue to the extent of the law when necessary.
In addition, technical and other necessary measures should be taken to ensure the reasonable collection of personal information and to prevent information leakage, damage and loss.