Almost every website has cookies (welcome to the internet!), but not all cookies have the same privacy implications. And as consent now has to be given through means of affirmative action, automated marketing solutions must adapt to the new regulations. 🍪 Read below to learn how cookies are handled in FULL FABRIC! 👋
💁🏾♂️ TIP: Along with this article, you might want to have a look at our General Data Protection Regulation (GDPR) Glossary and our article on What is the General Data Protection Regulation (GDPR)?.
The footer is automatically prompted when users first visit the portal after the policy’s publication, which could be by landing on any portal page (login page excepted), an application form, an offer form, a form landing page, an event landing page, or the portal user settings page. It will continue to reappear until the data subjects submit their preferences, never to be asked again; and even if a data subject is logged out when submitting their preferences, the browser will remember the settings next time the user signs in. The only times that this doesn't happen is when site visitors use a different browser, clear the browser cookies or go into private browsing mode.
For ease and convenience, we offer standard texts in English that are ready to use, but they're entirely customisable to reflect your school's own voice. Just send us the content and we'll put it up for you! ✏️
Why must cookie consent be obtained?
Cookies are a privacy concern, as they essentially save one's session in small text files stored in the person's web browsers (more specifically, in the web browsers’ Temporary Internet Files folders, located in the hard drive of a computer or mobile device). If the data subject's device is compromised, hackers could look at the cookies and find sensitive information about the data subject's online presence.
Bearing this in mind, the GDPR made it a legal requirement to solicit cookie consent. Quoting from the GDPR's Recital 30: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
Put simply, whenever cookies can identify an individual, they're considered personal data, and most cookies collect such personal data. As a result, it's indispensable to explain the purpose of the cookies installed by your school's portal (e.g., analytics, third-party activity such as Google Tag Manager, etc.), and allow users to opt in or opt out, as cookie management carries a great deal of weight for those interested in their privacy.
To sum up:
Users must have a choice to agree to all cookies;
User consent needs to be explicit and be a clear affirmative action;
Users should be able to easily revoke/change their consent.
Please note that the GDPR imposes heavy fines on instances of non-compliance, among other serious consequences.
Who's asked for consent?
Everyone but staff users and lecturers, since their professional link to the school already implies an agreement to basic tracking and data processing in order to perform their work duties and freely use the portal. Even if personnel rejects functional and/or analytical cookies when signed out, the system will automatically override this from the moment they log in.
How can cookie settings be viewed and changed?
At any point, data subjects may enter their portal user settings page (SETTINGS > Advanced > Manage my cookie preferences) and alter their initial choice.
Strictly necessary cookies can't be turned off, as their absence would cause the sessions to fail, but Functional cookies and Analytical cookies are disableable (more on this below).
Staff can't modify the cookie settings of applicants, students and so on, although they can be easily consulted (profile Advanced tab > Policies). Staff edits would be futile, because as soon as the data subject signed in, the preferences stored in their browsers would automatically override the staff-inputted settings.
What type of cookies does FULL FABRIC use and what's the impact of users deselecting either type?
FF uses three types of cookies:
Strictly necessary cookies — As mentioned before, these cookies help websites run properly, as they collect the session ID, authentication data, language settings, and other crucial non-private details. GDPR recognises the importance of strictly necessary cookies and stipulates that they can be enforced regardless of consent. Therefore, they can't be ticked off in FULL FABRIC.
Functional cookies — Regarding functional cookies, they're used to deliver services or to remember settings, such as features involving customisation or a more personalised experience, to enhance one's visit. They're not fundamental to the overall navigation of the portal, but they may severely limit or prevent the usage of certain tools. As of now this isn't the case, because currently none of FF's features depend on functional cookies to operate. However, we're asking for consent in advance to have room for manoeuvre in the future.
Analytical cookies — Last, but not least, analytical cookies are used to track visitor activity on the portal (e.g., page views, if a submitted application originated from an event attendance, if a brochure request generated new applicants, patterns of usage, etc.). In turn, this lets you monitor the efficiency of your content and methodologies and ultimately optimise your school's modus operandi. The impact is most felt here, because data subjects who decline analytical cookies can't be tracked in Google Tag Manager at all, and there's no getting around this. Moreover, since the legislation doesn't allow this box to be pre-checked, it's up to users to check the box on their own.
The behaviour outlined above merely follows the mandates of the GDPR. Should there be any doubt about any of this, consider approaching your DPO for clarification and guidance.
We already solicit cookie consent on our website
Every online service or channel must comply with the GDPR. FULL FABRIC is no exception, as there's no way for us to retrieve the cookie preferences that a data subject determined for your website. Not seeking consent in the portal would be a direct violation of the GDPR, as data subjects could opt-out of analytical and/or functional cookies in your school's main website and then be tracked here against their will by not having been consulted. Please make sure you understand your compliance responsibility and successfully adhere to GDPR! 😌
PUBLISHED: September 24, 2019
LAST UPDATED: November 4, 2019 at 9:05 a.m.