The Regulator’s recent Guidance Note on POPIA and direct marketing is about more than just telemarketing (we did a close read of the whole thing, which you can read in part one). So, once you’ve moved through the five stages of grief for call centres as we know them, let’s look at what the Regulator thinks about using cookies.

Do we need to say we’re not talking about choc-chip or vanilla wafer? Nah, we didn’t think so.

COOKIES!

The guidance note includes a cheeky reference to the ‘use of cookies’ as an example of direct marketing through unsolicited electronic communication.

That’s it, no further explanation is provided. So, what do they mean then?

Let’s start with what this doesn’t mean. All websites don’t need a cookie consent mechanism (like a cookie banner), as EU and UK regulations require. Thank the Internet gods!

However, it does mean that if you deploy cookies that collect data and serve targeted advertising to identifiable users, you may need to ask for consent first.

Let’s break it down.

THE TYPE OF COOKIES MATTER

It only counts if you can identify the person. If you can’t, POPIA doesn’t apply. For instance, if you set your advertising to target women in Gauteng generally, and you’re not collecting any additional information from these users that will help you identify them, POPIA doesn’t apply. If you set cookies to track an identifiable user on your website (while they are signed in to their Google account, for instance) and you then use the data collected to personalise offers to that user, you might need their consent before setting that up.

SMART COOKIE CONSENT TOOLS

We have always argued that targeted advertising is not ‘electronic communication’ as defined in POPIA. Here is our detailed explanation of why. In short, you can (usually) argue that targeted advertising on websites and social media platforms are not ‘messages’ that are ‘stored’ in a network or the data subject’s terminal equipment until it is retrieved. If you agree with this interpretation, you don’t need consent, but you must still make it easy for the user to opt out of receiving the targeted advertising and using those cookies.

If you are a bit more risk-averse and use ALL the cookies to track identifiable users and serve targeted advertising, you should invest in a cookie consent tool, update your privacy notice, and ensure that you get consent before collecting any information.

HOW SHOULD THE COOKIE (CONSENT TOOL) CRUMBLE?

We created this beautiful white paper that explains what you need in your cookie banner.

Here’s the short version:

What must be in your cookie banner? Consent must be a voluntary, specific and informed expression of will. This means that you must allow the person to take a positive action to provide consent, like ticking a box or clicking ‘yes’.
What must be in your privacy notice? Users shouldn’t be surprised about what personal information you collect and what you use it for.

You must give the user enough information so they can decide whether to consent or not.

You need to list all the cookies you use, what information they collect, who the information is shared with, and how you use the information.

We know, it’s a lot!

Can users exercise their rights? You must keep track of the information you collect so that you can answer users’ questions about what you know about them and what you do with that information.

You must have systems in place to record users’ consent and opt-outs.

OH CRUMBS!

If you’re feeling confused, don’t fret – we all are! But until someone gets taken to court or gets fined for using cookies in a way that breaches POPIA, we’re not going to panic.

Call us if you need advice and emotional support (and a cold glass of milk).

Please Share!