Cookies help business
For every museum or, for that matter, museum professional working online, internet cookies are a best friend that comes with a manageable risk, especially for medium and small size museums that don’t have in-house digital support.
Cookies are invaluable for thriving in the digital market: making your website more accessible and user friendly, measuring audience and reaching the right one, surpassing competition, finding sponsors, better planning and wisely evaluating your business and goals.
From a legal perspective, cookies involve internet security, personal data protection and privacy, and this is where museums’ responsibility comes into picture, along with the GDPR (Regulation 2016/679/EU) and the Directive 2002/58/EC on privacy and electronic communications compliance within the E.U.
Information and user consent
Basically, websites’ users must be informed and able to give or withdraw their consent regarding cookies stored on their devices when accessing websites. Websites owners and/or operators must state their cookies policy, clearly informing about the type, the source, the function/purpose and the duration of each cookie in use, as well as the about the user’s available options of accepting, managing or refusing cookies.
Cookies (small text files stored on users’ devices by accessed websites[i]) are set by the accessed website itself (first-party cookies) or by other connected websites, like social media platforms or search engines (third-party cookies). If your website uses third-party cookies, their policy is not under your control, but you still need to inform users about the third-parties involved in the process and further redirect to their policies.
The E.U. law
General Data Protection Regulation aims to protect individuals with regard to the processing of personal data. As defined by art. 4 of the Regulation, personal data “means any information relating to an identified or identifiable natural person”, including location data and online identifiers; “processing” personal data refers to any kind of operation, as collection, recording or use – all of these being directly connected to cookies.
The European Electronic Communications Code (Directive 2018/1972/EU) recognizes the role of cookies in collecting and transmitting personal data like “IP address, or other automatically generated information” (Preamble, recital 16).
Personal data should only be collected and processed for specified, explicit and legitimate purposes, in an adequate, relevant, secured and limited to what is necessary manner. When processing personal data is based on consent, as it is the case for some cookies, the consent must be asked in a fully accessible formulation, in order to be legally binding.
The legal obligation of informing users and getting their consent on the use of cookies are clearly stipulated in the Preamble, recital 25 of Directive 2002/58/EC: “so-called ‘cookies’, can be a legitimate and useful tool, for example, in analyzing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where (…) cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information (…) about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment”.
While some cookies are essential to the functioning of websites, other are used for marketing purposes, contributing to users’ profiling, by monitoring location and online activity and behaviors.
GDPR art. 4 defines “profiling” as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.
Options
Not all museum professionals are familiar with internet legal liability or websites technicalities. In this regard, what museums should do is check with their websites’ admins/web designers and make sure, including on contract bases, that all in force regulations are observed.
Moreover, there are cookies management services available on the market, that can automatically check, monitor and secure compliance with all legal requirements. Also, professional services for creating and hosting websites provide ready-made use and privacy terms and conditions, making it easier for all museums and museum professionals to deal with the legal obligations that come with running a website.
Added value
Besides being in line with the law, a clear, transparent, and honest cookie policy on a museum or professional website helps building trust among customers and supports a good business reputation for your brand.
A 2018 report[ii] concluded that only 5% of internet users refused cookies, meaning that business websites have enormous opportunities in using digital marketing tools related to cookies. A 2021 survey in the U.S. showed that nearly 32% of respondents always accepted all cookies when given the option[iii]. On the other hand, big internet players like Google and Facebook were fined (€ 125 million and € 60 million, respectively) by the French authorities, for illegal use of cookies, in 2021[iv].
So, keep the law on your side and go for it!
Museum Anonymous 