GDPR liability and self-employment

[A Lee]

I am working as a freelancer at a company and have been for six months. I have recently realised the site was not GDPR compliant as it used Google Analytics by default, so now it requires people to click Accept on the cookie tracking button before it enables tracking of users.

However, my client is not that happy as now their tracking is quite low in numbers. So I have two questions:

1) where does the liability lie if the client demands that I put tracking by default back on? I have made it clear that this is not legal, so if they want to do it anyway, is that their liability or mine?

2) there is a button in the admin section of the website to enable tracking by default, so my manager could simply re-enable it. If my manager turns it back on, and doesn't tell me, presumably that is their liability?

Thanks
Alex

 

[Mike Kilby PC.dp]

If the client own's the site, they are liable regardless of who makes any change.

 

[A Lee]

OK you sound quite sure about that, so that's a relief! Can you tell me any more about how this works in legal terms? In the unlikely event of the organisation being taken to court I want to know my back is covered...

 

[Newchodge]

That needs to be covered in your own contract with them - that your responsibility is limited to .....

 

[A Lee]

That sounds like a good option

 

[Mike Kilby PC.dp]

Cookie law is really quite confusing as there are many websites that have gone totally overkill and others that have done nothing at all.

Cookie legislation is still governed by the Privacy & Electronic Communications Regulations as it has been for years. The only real change bought about by GDPR is that if the cookies are 3rd party (sharing tracking or advertorial information with others) that those need explicit consent.

Pure functional cookies like shopping baskets or security cookies don't need any consent because the users of the site have no choice. If they want to use the site they are necessary.

General tracking cookies are not "necessary" and it will really depend on how they are used, but you could utilise the Legitimate Interest of the company to track visitors to the website to improve the user experience and content, and the Legitimate Interest of the visitors to have served content that is relevant to them. On that basis, an Opt Out cookie consent could work, providing you don't use the data to then later identify that individual and make decisions about them (such as serving up different content to returning visitors or giving repeat visitors a better discount).

As Cyndy said, make sure your contract with the client stipulates that you work on their behalf and that they have ultimate sign-off and responsibility for what is delivered. Ultimately though the definition of the Data Controller is that entity that determines the purpose and use of information. As you are contracted to/employed by them, you are acting on behalf of them and therefore it is their responsibility to make sure you don't do anything unlawful, so they would be held to account.

At worst, protect your back by having an audit trail of your communications that shows you raised concern and they chose to ignore it.

You may already know about this but OneTrust do a free account which last time I looked had a cookie analyser in it which helped to decide if consent was needed.

 

[A Lee]

Thanks for all the great advice. I guess in that case, Google Analytics tracking would count as 3rd party tracking, so that requires consent?

 

[Mike Kilby PC.dp]

Google Analytics is only really 3rd party needing consent if you subscribe to the Google Analytics Ad network (ie your site tracks users and feeds that back so google can serve up ads to the user elsewhere or serve up others ads on your site).

Otherwise it’s really just a data analytics platform and google don’t do anything with the data.

For tracking which pages are visited and from what searches or referrer sites traffic came it’s just anonymous analytics.

Yes it tracks device id’s and up addresses but unless you actively use those to later identify and affect visitors and attribute their browsing to them, your just analysing traffic.

 

[A Lee]

That's great - thanks!