Andras Marcell Marko

May 24, 2018

posted by Andras Marcell Marko

Last minute GDPR Wrap-up Q&A

GDPR last minute Questions and Answers

This blog post is not and should not be interpreted as a legal advise. Yuspify can not be held accountable for the consequences of acting on the statements and hints contained in this blog post. In order to avoid misinterpretation of GDPR regulations and misuse of GDPR technical hints we strongly recommend to seek legal counsel for detailed information.

Types of cookies

The stunning novelty of GDPR is that cookies are declared to be personal data after 25th May.

GDPR is the culmination point of the cookie history. Cookies are originally to identify users and to prepare a customized-personalized form of the website for them. As more and more personal data are getting attached to cookies the more severe is the danger of the users’ identities to be used by unauthorized parties. To discern the types of cookies that bear this risk from those that don’t bear is a long process that reached a milestone with EU Article 29 WP regulation adopted on 3 October 2017  (Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679) that declared the 2 groups of cookies collected by e-businesses:

 1.The first wave of cookies serve the functions that are indispensable for the seamless functioning of a site (for example: navigation history hosting for the sake of comfortable user experience, restoring navigation positions so you don’t have to roll back after you have navigated back to a formerly visited page.)


Macy's - cookies needed for navigation

Navigation scroll bar stays there where we left it. We can enjoy this tiny but very important feature because of a cookie informing the store about our previous crawlings. Source: Macy’s


2. The second group of cookies comprises all the data capture utilized by marketing and promotion activity (+ those cookies that support personalized recommendations are included here)


Self-collected and foreign cookies

The data collected by the data controller (can be stored in cookies or in other data formats) is described as a self-collected cookie mass from the data controller’s point of view, but they are foreign cookies for Yuspify, even after they can be fused into Yuspify’s cookies ( they enrich Yuspify cookies, e.g.: with the user’s name, with purchase history etc.) hence Yuspify appears as the data processor of them.

 It’s the responsibility of the e-store to set up GDPR-compliant, informative forms that offer this for the data owner users.

To ensure this protection scheme Yuspify has raised a „fortified wall”, an inhouse solution where tracking codes get an additional function: they are able to collect information only about those users who have already given their consent. The cookies arriving from these users communicate this: „I am accessible and collectible”


The responsibility of e-stores


GDPR –compliant and non compliant sign up form

GDPR –compliant and non compliant sign up form. By 25 May the majority of Yuspify clients have adopted the compliant form. Source:


Yuspify’s recommendation engine is still able to work without profiling the user: by the visits of those who gave their assent for delivering their behaviour-based data to the data processor. From this sourcing a conservative data mass is accumulated from that Yuspify can still indicate several statistically significant coherences – and therefore recommendations can be authored – however only item-to –item based recommendations.

We have to discard the user-based recommendations for those users that didn’t give their consent. Image: Information Storage and Retrieval (CS 5604) Collaborative Filtering 4/28/2016 Tianyi Li, Pranav Nakate, Ziqian Song Department of Computer Science Blacksburg


What do I have to get the user approve?

To launch onsite recommendations and personalization is it enough if I make the customer approve being the recipient of marketing- and promotion intended letters and ads? 


The answer is Yes. Because “marketing and promotion” category includes personalization and personalized recommendations.

If it is approved by the visitor of the e-commerce store, user-based personalized recommendations get a green light.

If not, user based recommendations are blocked, but the item-based recommendations can still work.

Important: The same users also have to approve or disapprove that their data will be delivered to NAMED third party data processors (like Yuspify) Category is not enough. After contracting with Yuspify, don’t forget to extend the list of YOUR NAMED THIRD-PARTY DATA PROCESSORS.

Named organisations and the depth of Granularity. Listing the 251 third party data processor partners. Nice job. Source: Pagefair


Questions to answer

How much does an e-store lose with these non-recipient users? How much is the loss of an online retailer with discarding user based recommendations, if the dispensable user base is reduced with 10 %?  (10 % of the users doesn’t give their consent, 90 % of them gives). Or 20-80 %? Or 30-70 %?

Reading e-commerce forums and threads you can often see e-store owners ask: what happens if the „I do not consent to receive recommendations” is a phony button, has no effect and the user-based recommendations keep on swarming on the user? Can the authorities track this? Can users detect that these recommendations are not item-based, but based on their behaviour?

Don’t try to set up phony buttons without any effect! The user can easily make distinction between user-based and item-based recommendations. If an investigation or lawsuit is commenced, not the plaintiff but the e-store bears the obligation to prove the consent!


More questions and answers about GDPR compliance

To gain more confirmation on the hints above we copy here some questions submitted by our clients to a prestigious law firm


If I am an e-store owner must I get the user approve that he is being tracked by Yuspify’s tracking code?

Yes, to install and launch Yuspify tracking codes on the device of the end-user their consent is needed (consent must be preceded by informing the user.)

What are the 3 types of cookies?


Cookies serving broadcast via electronic news-transmitting devices –  ( this is not relevant for Yuspify)


Cookies necessary for the unperturbed service provision related to information transmission (like internet providers) no consent needed, user must be informed only.


Cookies needed for services other than category 2. For example, marketing, promotion, market research-related cookies. – Yuspify cookies serving onsite recommendations fall into this category.


Enhance your GDPR compliance: you can launch a standalone consent form or popup with naming Yuspify by following this format. Source: PageFair


How can I reduce the further risk?


Employing a Cookie Consent Manager ( like Trustarc ) will reduce risk, however it doesn’t provide a 100 % protection


Apart from cookie bar and privacy policy the law firm suggests a third feature for Yuspify’s e-commerce clients: A DEDICATED TICKBOX  that collects the user’s consent to receiving personalized recommendations (or cart abandonment emails) In this case we don’t fuse the category of personalized recommendations into the umbrella term of marketing activities.

The data controller e-store is the consent-collector. Yuspify never appears as a data controller, it is only the data processor of the e-commerce store that has the following obligation: to get the consent from the data owners + serve them with detailed information packages.

If you want to learn more about the relation between Data Controller and Data Processor, have a look to Yuspify’s public DATA PROCESSING AGREEMENT  template where the parties are Gravity Research and Development Zrt. (Company reg. no.: 08-10-001848; registered seat: Bálint Mihály str. 64., H – 9025 Győr, Hungary; postal address: 1113 Budapest, Villányi út. 40/b, Hungary; tax no: HU23841901; “Gravity” or „Data Processor”) and the company ordering Yuspify services via website.


Sign up for email updates

Get regular tips and updates from the world of eCommerce and big data.

We take your privacy seriously. No spam. See our Privacy policy here.

Recent Blogposts