Disclaimer: This blog post is not and should not be interpreted as a legal advise. Yuspify can not be held accountable for the consequences of acting on the statements and hints contained in this blog post. In order to avoid misinterpretation of GDPR regulations and misuse of GDPR technical hints we strongly recommend to seek legal counsel for detailed information.
The stunning novelty of GDPR is that cookies are declared to be personal data after 25th May.
GDPR is the culmination point of the cookie history. Cookies are originally to identify users and to prepare a customized-personalized form of the website for them. As more and more personal data are getting attached to cookies the more severe is the danger of the users’ identities to be used by unauthorized parties. To discern the types of cookies that bear this risk from those that don’t bear is a long process that reached a milestone with EU Article 29 WP regulation adopted on 3 October 2017 (Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679) that declared the 2 groups of cookies collected by e-businesses:
1.The first wave of cookies serve the functions that are indispensable for the seamless functioning of a site (for example: navigation history hosting for the sake of comfortable user experience, restoring navigation positions so you don’t have to roll back after you have navigated back to a formerly visited page.)
2. The second group of cookies comprises all the data capture utilized by marketing and promotion activity (+ those cookies that support personalized recommendations are included here)
The data collected by the data controller (can be stored in cookies or in other data formats) is described as a self-collected cookie mass from the data controller’s point of view, but they are foreign cookies for Yuspify, even after they can be fused into Yuspify’s cookies ( they enrich Yuspify cookies, e.g.: with the user’s name, with purchase history etc.) hence Yuspify appears as the data processor of them.
It’s the responsibility of the e-store to set up GDPR-compliant, informative forms that offer this for the data owner users.
To ensure this protection scheme Yuspify has raised a „fortified wall”, an inhouse solution where tracking codes get an additional function: they are able to collect information only about those users who have already given their consent. The cookies arriving from these users communicate this: „I am accessible and collectible”
Yuspify’s recommendation engine is still able to work without profiling the user: by the visits of those who gave their assent for delivering their behaviour-based data to the data processor. From this sourcing a conservative data mass is accumulated from that Yuspify can still indicate several statistically significant coherences – and therefore recommendations can be authored – however only item-to –item based recommendations.
The answer is Yes. Because “marketing and promotion” category includes personalization and personalized recommendations.
If it is approved by the visitor of the e-commerce store, user-based personalized recommendations get a green light.
If not, user based recommendations are blocked, but the item-based recommendations can still work.
Important: The same users also have to approve or disapprove that their data will be delivered to NAMED third party data processors (like Yuspify) Category is not enough. After contracting with Yuspify, don’t forget to extend the list of YOUR NAMED THIRD-PARTY DATA PROCESSORS.
How much does an e-store lose with these non-recipient users? How much is the loss of an online retailer with discarding user based recommendations, if the dispensable user base is reduced with 10 %? (10 % of the users doesn’t give their consent, 90 % of them gives). Or 20-80 %? Or 30-70 %?
Reading e-commerce forums and threads you can often see e-store owners ask: what happens if the „I do not consent to receive recommendations” is a phony button, has no effect and the user-based recommendations keep on swarming on the user? Can the authorities track this? Can users detect that these recommendations are not item-based, but based on their behaviour?
Don’t try to set up phony buttons without any effect! The user can easily make distinction between user-based and item-based recommendations. If an investigation or lawsuit is commenced, not the plaintiff but the e-store bears the obligation to prove the consent!
To gain more confirmation on the hints above we copy here some questions submitted by our clients to a prestigious law firm
Yes, to install and launch Yuspify tracking codes on the device of the end-user their consent is needed (consent must be preceded by informing the user.)
Cookies serving broadcast via electronic news-transmitting devices – ( this is not relevant for Yuspify)
Cookies necessary for the unperturbed service provision related to information transmission (like internet providers) no consent needed, user must be informed only.
Cookies needed for services other than category 2. For example, marketing, promotion, market research-related cookies. – Yuspify cookies serving onsite recommendations fall into this category.
Employing a Cookie Consent Manager ( like Trustarc ) will reduce risk, however it doesn’t provide a 100 % protection
The data controller e-store is the consent-collector. Yuspify never appears as a data controller, it is only the data processor of the e-commerce store that has the following obligation: to get the consent from the data owners + serve them with detailed information packages.
If you want to learn more about the relation between Data Controller and Data Processor, have a look to Yuspify’s public DATA PROCESSING AGREEMENT template where the parties are Gravity Research and Development Zrt. (Company reg. no.: 08-10-001848; registered seat: Bálint Mihály str. 64., H – 9025 Győr, Hungary; postal address: 1113 Budapest, Villányi út. 40/b, Hungary; tax no: HU23841901; “Gravity” or „Data Processor”) and the company ordering Yuspify services via yuspify1.staging.wpengine.com website.