Transformations in
Business & Economics
- © Vilnius University, 2002-2021
- © Brno University of Technology, 2002-2021
- © University of Latvia, 2002-2021
Article
USE OF COOKIES AFTER GDPR: A CASE STUDY OF TOP LITHUANIAN WEBSITES
Tadas Limba, Kestutis Driaunys, Aurimas Sidlauskas
ABSTRACT. With the implementation of the European Union's General Data Protection Regulation (GDPR) on 25 May 2018, a new regulatory regime for business in Europe and beyond has begun. Many companies had to adjust their data processing processes to meet GDPR compliance requirements. GDPR stipulates that data controllers must have a legal basis for the collection and processing of personal data. One of the most common ways for personal data to be collected and shared online is through website cookies. A cookie is a small text file that is downloaded onto 'terminal equipment' when the user accesses a website. It allows the website to recognise that user's device and store some information about the user's preferences or past actions. Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR.
The investigative problem of this study is expressed through the following question: Which requirements are applied to cookie usage now that the GDPR has come into effect, and what impact has this had on Lithuania's top popular websites? The main purpose of this article is to assess the tendencies as regards the usage of the cookies in accordance with GDPR requirements on the most popular Lithuanian websites. The methodological framework used in the investigation is based on scientific literature analysis and the qualitative research method. The work carried out theoretical narrative, systematic, comparative analysis, and generalisation. A qualitative case study was carried out examining the 100 most popular Lithuanian websites. The obtained empirical findings demonstrate that Lithuanian websites use cookies in breach of GDPR requirements and that complex violations occur. In Lithuania, unlike the other EU Member States, violations pertaining to cookie management continue to remain unnoticed, organisations do not abide by GDPR requirements en masse, whereas individual users and the State Data Protection Inspection are merely passive observers. The conclusions and recommendations of the research have practical value, which will help organisations, users and supervisory authorities to identify the violations connected to cookie usage and to take the relevant measures in order to ensure that data are being processed lawfully and in keeping with GDPR requirements.
KEYWORDS: General Data Protection Regulation, cookies, data controllers, websites.
JEL classification: K20, O21, O30. M10, M30.