DPC publishes Report and Guidance on cookies following a “cross-sector and cross-size” sweep of website operators
On 6 April 2020, the Data Protection Commission (DPC) published a report on the use of cookies and other tracking technologies (Report) and an updated guidance note on cookies and other tracking technologies (Guidance).
The Report is based on a review carried out by the DPC of websites in various sectors in Ireland, including insurance, banking, media, retail and the public sector. The purpose of the DPC’s report was to examine whether organisations are complying with the law, and, in particular, how organisations are obtaining the consent of users for the use of cookies. The majority of the 38 organisations examined were found to have potential compliance issues, particularly in relation to reliance on implied consent for setting non-necessary cookies; lack of choice for users to reject all cookies; bundling of consent for all purposes; and the possible misclassification of cookies as “necessary” or “strictly necessary“. The Report gives an overview of the responses received highlighting what the DPC considers to be both “good” and “bad” practices that it encountered on the websites, and the Guidance provides website operators with guidance on how to comply with the rules relating to cookies, which are set out in the Irish ePrivacy Regulations.
Key recommendations
The DPC Report and Guidance set out the following recommendations (and clarifications) to ensure compliance with the rules relating to cookies:
- Consent is required for the setting of cookies on a website, and the GDPR level of consent must be met (i.e. clear affirmative action), whether the cookies collect personal data or not.
- Pre-checked boxes should not be used for obtaining consent for the setting of cookies.
- The cookies rules draw a distinction between “necessary” cookies that are required to deliver a service (e.g. to authenticate the user or remember preferences) and “non-necessary” cookies (e.g. cookies used for advertising purposes that are not strictly required to deliver the service).
- Implied consent for use of non-necessary cookies is not sufficient (i.e. the DPC does not consider banners stating “by continuing to browse this site you consent to the use of cookies” to be compliant for non-necessary cookies).
- Certain consent exemptions are provided for in Regulation 5(5) of the ePrivacy Regulations, but where a website operator is relying on the “necessary” or “strictly necessary” exemption then it needs to be sure that the criteria set down in the ePrivacy Regulations are met and that the lifespan of the cookie being set is proportionate.
- Consent cannot be bundled. It must be obtained for each purpose that cookies are set (e.g. analytics, targeting and marketing), although it does not need to be obtained for each cookie.
- Consent should be limited to a period of time. Whilst the ePrivacy Regulations do not prescribe specific lifespans for cookies, the DPC recommends that organisations ask users to reaffirm their consent no longer than six months after it has been obtained.
- Users may be provided with a consent management platform (CMP), which enables them to accept or reject cookies used for different purposes, and to vary or withdraw their consent choices at any time. One design solution is a cookie button (or a “radio button“) which reveals sliders or ON/OFF options. The settings of any sliders on CMPs should be clearly labelled ON or OFF, and users know how to ACCEPT and REJECT cookies. Using coloured buttons such as green for ON, and red for OFF, may not provide sufficient clarity and may be confusing for those with colour blindness.
- Links to privacy and cookie policies should always be visible and accessible to users, without them having to consent to cookies or dismiss a cookie banner.
- Non-necessary cookies should by default be set to off.
- A cookie banner that merely gives the user the option to click “accept” to say yes to cookies and which provides no other option is not compliant. This means banners with buttons that read “ok, got it!” or “I understand“, and which do not provide any option to reject cookies or to click for further, more detailed information, do not meet the standard of consent required. Cookie banners must also be designed in such a way that they do not nudge users into accepting cookies. An option to reject must have equal prominence in any banner.
- Users must be provided with “clear and comprehensive information” about the use of cookies. This information must include: the types and purposes of the cookies being set, the third parties who may have access to those cookies, and the duration of the operation of the cookies. Where the processing involves personal data, the transparency requirements in Articles 12-14 GDPR must also be complied with.
- Where cookies involve the processing of special category data based, for example, on inferences drawn from a person’s browsing patterns on a website, or linked data from other sources, consent to such cookies must be explicit, and the controller must ensure that it has a lawful basis to process such data.
The Report and Guidance provide an important reminder to website operators of the importance of keeping privacy and cookie policies accurate and up-to-date, and in compliance with data protection law and regulatory guidance.
For more information contact Davinia Brennan or any member of the A&L Goodbody Commercial & Technology team.
Date published: 23 April 2020