Hi, this is Mori again from KINTO Technologies (KTC). I’ve been writing blogs, including co-authored ones, and I just can’t believe this one is already my 10th article! Almost all my posts in the Tech Blog are about event reports, but today, let me talk about a story from my daily work.

Well, I usually work as a Product Manager (PdM) of the Global KINTO Web and project lead of PII (Personal Identifiable Information) related tasks in the Global Development Division. Since PII tasks are mainly about the user pool of each KINTO services around the world, both of my tasks are rarely linked together. But for once, it did! We took care of activities to comply with GDPR on the Global KINTO Web. Finally, the time has come for my two main jobs to intersect! 👏👏👏

If you would like to know more about our GDPR compliance activities related to transferring personal information globally between each KINTO user pool, you can check out my previous article Compliance with GDPR in the Global KINTO Looking back, since it was my debut article, it’s amusing to see how the writing is too stiff and serious😂

What is GDPR? Who is the Target?

Before starting to write this article, I reread my previous one and realized that there is no explanation of 'What is GDPR?' OMG🤦‍♀️ Let me explain about it now.

GDPR is the acronym for the General Data Protection Regulation and it’s a legislation within Europe. It regulates how to protect and process personal data within the European Union (EU) and the European Economic Area (EEA) The purpose is to protect the personal data of individuals residing within the territory. The target is residents, regardless of their nationality

This of course means that companies in the EU should comply with the GDPR. However, even companies outside of the EU might be targeted for the following reasons:

• When a company has branch or a subsidiary in the EU
• When a company provides products or services for the EU
• When a company is entrusted to process personal data of EU residents to a third party

For example, even if the language of a website is English, it might be out of the scope of GDPR if EU customers are not the target. On the other hand, if your services target inbound customers visiting your country, you are likely to be subject to this regulation.

Global KINTO Web and GDPR Tasks

The Global KINTO Webis a brand website of KINTO services which are available in +40 countries around the world. Since many KINTO services are available in Europe, European customers are also the target audience of this website. That is why compliance with GDPR cannot be ignored. Of course, we set up policies at the time of release. However, the situation has changed significantly since the beginning, with changes in operational structure, updates to features, and revisions to regulations, among other things. We have decided to re-establish policies and other compliance activities with the support of an external lawyer.

In the Global KINTO Web, we collect customer information, such as names, email addresses, phone numbers, etc., through the inquiry form. Additionally, we use cookies to enhance our website. Cookies are classified as “Information related to personal information” according to Japanese regulation, but they are considered as “Personal Information” in GDPR. Thus, if the website is targeting European customers, compliance with GDPR is necessary even though the website collects only cookies from users. As a side note, in GDPR itself, cookies are only briefly mentioned in Recital 30. For details, they are more concretely and comprehensively regulated in the ePrivacy Directive (EPD), also known as the cookie law.

Well, what should we do to collect cookies? Here are the specific tasks:

• Receive users’ consent before you use any cookies except strictly necessary cookies.
• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
• Document and store consent received from users.
• Allow users to access your service even if they refuse to allow the use of certain cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu

GDPR requires establishing a Privacy Policy and other measures, but the tasks mentioned above are additionally requested to collect cookies. I guess you’ve all seen various websites with pop-ups or banners regarding cookie collection (Cookie consent pop-up). THAT is mainly what it is.

Cookie Types 🍪

Cookies can be classified as 4 categories by its purpose.

Category	Contents
Strictly necessary cookies	These cookies are necessary for the website to function properly. For example, these cookies may store items in the cart of an e-commerce site or maintain language settings. Disabling these cookies may result in the website not functioning properly. Consent from the users is not required. Also, they do not store information that can identify individuals.
Functionality cookies	These cookies are used to personalize the experience by remembering choices users have made in the past. For example, these cookies determine which area's weather news should be shown or what the user's name is, etc. They are also known as “Preferences Cookies” Information that can identify individuals is not stored.
Performance cookies	These cookies are used to improve websites. They collect information about how a user uses a website such as pages visited, links clicked and so on. All data is anonymized, and information that can identify individuals is not stored. They are also known as “Statics Cookies”
Targeting cookies	These cookies track user’s online activity and show personalized ads based on their interests. This information might be shared with other organizations or advertisers to measure the performance of ads. Targeting cookies are also known as “Advertising Cookies” since they are mainly used for advertising.

Global KINTO Web collects “strictly necessary cookies” and “performance cookies” from the above categories. As mentioned in above, since strictly necessary cookies are mandatory for the proper functioning of the system, such as keeping language settings or items in an e-commerce site’s cart, user’s consent is not required. However, we had to implement a mechanism to acquire consentand withdraw consent easily in order to collect performance cookies.

Issues on Cookie Consent Pop-up

While we consider the implementation of the cookie consent pop-up, we have faced one issue: the sample size of user data might be significantly reduced compared to what we currently could. That’s because there are many users who reject the collection of cookies feeling anxious to provide this mysterious data called cookies. There may be some readers among you who find it annoying and click on "just reject for now!🙅‍♀️" as they are repeatedly displayed on the screen, don't you think?

Thus, we will deep-dive on the need of this cookie consent pop-up. As mentioned earlier, the pop-up is necessary to comply with the European GDPR. However, according to the interpretation of Japanese regulations (such as the Personal Information Protection Act and the Cookie regulations based on the Telecommunications Business Act), it may not be required in some cases. For our Global KINTO Web case, too, we have judged there is no need to implement it globally, except for Europe. (Of course, with advice from our external lawyer.) Please note that although it’s not required from a legal point of view, a website might display a cookie consent pop-up intentionally as a form to display CSR. We reached this decision by weighing the practical operation against other advantages.

For more information regarding the interpretation of Japanese Amendments to the Act on the Protection of Personal Information, you can visit this article from TOPCOURT Law firm which explains it well.

Preliminary Study

We decided to display the pop-up only for Europe, but we studied how other websites do it, just in case. Luckily for us, there was a team member who traveled back to her home country in Europe! So we asked her to research how other websites display them, given that cookie consent pop-up is not shown in Japan 😎 Let me show you some side by side screenshots below:

Website	Japan	Europe
Facebook
Google
Booking.com
Toyota Motor

When we accessed websites in the European region, what surprised us was that there were tons of websites showing pop-ups to request consent, no matter the content! Not only were there cookie consent pop-ups, but it also seemed like there were various solutions, such as switching URLs for display through redirects, switching policies, and so on.

Consent Acquisition Flow

Now, we have confirmed that many websites take special care in Europe when collecting cookies, and also confirmed the fact that we definitely should have a pop-up. This time, based on the advice from our external lawyer, we decided to acquire consent from users in Europe as the below image.

How can a user withdraw their consent? They can do it from the [Cookie Preference] button in the Privacy Policy whenever they want. Additionally, we designed it so that consent expires every 6 months. This is for providing users an opportunity to re-consider the privacy setting periodically, and ensure transparency

Actual Screen

After that, we finally released our new cookie consent pop-up with an updated privacy policy on Nov 1. Different views are shown depending on regions, as follows:

Japan	Europe
A pop-up to notify Privacy Policy update is shown to anyone around the world since it’s required by various countries.	Cookie consent pop-up is shown only for Europe.
No pop-up or banner is shown after closing the notification pop-up.	Users can adjust their consent for Performance Cookies through the “Cookie Preferences”.

To Sum It Up

As this PII related world including GDPR is so deep and complicated, there are many things that I still don’t know even over 2 years has passed since I was assigned to it. New violations continue to be sentenced, and regulations and guidelines are enacted or revised daily in various countries. Yet, we don’t want to lose usability and limiting the range of actions we can perform. Figuring out this balance is really important 🤔⚖️

The story I’ve shared today is just only an example case supported by external lawyers and it can’t always be applied to other scenarios. For example, to counter the challenge of increased rejection rates like we've faced, designing a UI/UX which makes the pop-up less likely to be rejected is one possible solution. How to comply with each regulation depends on the website’s purpose, target audience, contents and the situation. And since regulations like this are interpreted differently by different people, we can’t completely say "it is absolutely safe if you do it this way!”.

The Global KINTO Web should be updated continuously, according to the varying situation of countries where it’s present. If you see a cookie consent pop-up on our website, it would be great if you think “Ah, they are trying to comply with each regulation properly👍”. Thank you for reading this long article, see you next time at my 11th blog🙋‍♀️

Reference

• Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
• クッキーは個人情報？規制の対象となるクッキーについて | BizRis
• Cookie（クッキー）同意ポップアップの実装率と設置場所
• Global Reach - グローバル展開する企業を支援
• Cookie types