Cookies help business
For every museum or, for that matter, museum professional working online, internet cookies are a best friend that comes with a manageable risk, especially for medium and small size museums that don’t have in-house digital support.
Cookies are invaluable for thriving in the digital market: making your website more accessible and user friendly, measuring audience and reaching the right one, surpassing competition, finding sponsors, better planning and wisely evaluating your business and goals.
From a legal perspective, cookies involve internet security, personal data protection and privacy, and this is where museums’ responsibility comes into picture, along with the GDPR (Regulation 2016/679/EU) and the Directive 2002/58/EC on privacy and electronic communications compliance within the E.U.
Information and user consent
Basically, websites’ users must be informed and able to give or withdraw their consent regarding cookies stored on their devices when accessing websites. Websites owners and/or operators must state their cookies policy, clearly informing about the type, the source, the function/purpose and the duration of each cookie in use, as well as the about the user’s available options of accepting, managing or refusing cookies.
Cookies (small text files stored on users’ devices by accessed websites[i]) are set by the accessed website itself (first-party cookies) or by other connected websites, like social media platforms or search engines (third-party cookies). If your website uses third-party cookies, their policy is not under your control, but you still need to inform users about the third-parties involved in the process and further redirect to their policies.
The E.U. law
General Data Protection Regulation aims to protect individuals with regard to the processing of personal data. As defined by art. 4 of the Regulation, personal data “means any information relating to an identified or identifiable natural person”, including location data and online identifiers; “processing” personal data refers to any kind of operation, as collection, recording or use – all of these being directly connected to cookies.
The European Electronic Communications Code (Directive 2018/1972/EU) recognizes the role of cookies in collecting and transmitting personal data like “IP address, or other automatically generated information” (Preamble, recital 16).
Personal data should only be collected and processed for specified, explicit and legitimate purposes, in an adequate, relevant, secured and limited to what is necessary manner. When processing personal data is based on consent, as it is the case for some cookies, the consent must be asked in a fully accessible formulation, in order to be legally binding.
While some cookies are essential to the functioning of websites, other are used for marketing purposes, contributing to users’ profiling, by monitoring location and online activity and behaviors.
GDPR art. 4 defines “profiling” as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.
Not all museum professionals are familiar with internet legal liability or websites technicalities. In this regard, what museums should do is check with their websites’ admins/web designers and make sure, including on contract bases, that all in force regulations are observed.
Moreover, there are cookies management services available on the market, that can automatically check, monitor and secure compliance with all legal requirements. Also, professional services for creating and hosting websites provide ready-made use and privacy terms and conditions, making it easier for all museums and museum professionals to deal with the legal obligations that come with running a website.
So, keep the law on your side and go for it!