11 Thinks You Need To Know About The DPC's Cookies Guidance

In April 2020, the Irish Data Protection Commission (DPC)  published a report of its findings from its cookie sweep of 38 websites of organisations across a range of sectors and released a guidance note on the use of cookies and similar tracking technologies. The guidance outlines what companies need to do to use cookies lawfully, and allowed companies a six-month grace period to implement these measures. 

In its analysis, the DPC sought to examine how organisations are using tracking cookies and whether these organisations are complying with the laws governing such cookies. This includes the ePrivacy Regulations with regards the use of cookies and the General Data Protection Regulation (GDPR) in respect of the processing of personal data via the cookies.

Background

Believe it or not, but it is a long-established requirement that organisations cannot place tracking cookies on users’ devices unless the user has given their consent and has been provided with “clear and comprehensive information,” of the functionality of such cookies. As a reminder, cookie consent must meet the GDPR standard of “consent,” meaning that it must be freely given, specific, informed and unambiguous.

It has been clear that there has been a ‘wait and see approach’ to many of the finer compliance requirements of the GDPR since the inception over two years ago. As the Schrems II decision recently highlighted and the recent ‘cookie sweep’ shows, businesses are either willfully or ignorantly in non-compliance with data protection law.  Now that the DPC has issued solid guidance on the use of cookies, Irish businesses need to review their use of cookies before enforcement actions start later this year.  

What You Need to Know

Say No to Implied Consent

Recital 32 of the GDPR states that “Consent should be given by a clear affirmative act”. The DPC’s guidance falls in line with this concept, and should spell the end for banners proclaiming “By continuing to use this site, you agree to the use of cookies”. Though this interpretation is generally accepted by European regulators, the Spanish authority suggests that if a user has seen a cookie banner and takes a positive action on the website, they have consented to the use of cookies.

To ensure that specific consent is obtained for each purpose that a cookie is used, and to allow the withdrawal of consent in accordance with the GDPR, the DPC recommends that organisations should avoid bundling cookie consents (e.g. by forcing users to accept “all” marketing, analytics, tracking cookies etc.). Organisations must also provide information on how users can withdraw their consent to the use of cookies, and provide them with an easy-to-use mechanism to do so.

As consent must be “informed,” the DPC has further recommended that “clear and comprehensive information” about the use of cookies be provided, such as a short description of the types in your cookie banner, and a detailed description in your cookies policy. 

Managing Consent

Users must have an easy way to change their consent at any time. Many organisations use consent management platforms, but simply using a platform does not mean your practices or the configuration you have set will comply with the law.  As such, the DPC has itself warned that the use of these tools does not in itself ensure compliance. 

Pre-checked boxes are out

Whether you have pre-checked boxes or sliders set to ‘on’ for consenting to the use of cookies, you would not be compliant with the DPC’s guidance. 

 

No nudging!

You have probably seen banners that proudly display “Accept”, but hide away the “Reject” button, if there at all. The DPC requires that the “Reject” button is given equal prominence, or give the user an option to manage cookies to accept or reject based on cookie type. 

 

Analytics cookies require consent

The purpose of analytics cookies is to collect data about how users interact with your website and can be hugely informative when increasing your web traffic. Google Analytics is one of the most commonly used analytics cookies and was found to be in use on about 57% of the 10,000 most popular websites. 

The view that analytics cookies always require consent was also put forward by the UK’s ICO, while other regulators have taken a more lenient approach, such as French and German regulators, arguing that these cookies may be exempt if certain requirements are met. 

Obscuring privacy and cookie notice text

The purpose of analytics cookies is to collect data about how users interact with your website and can be hugely informative when increasing your web traffic. Google Analytics is one of the most commonly used analytics cookies and was found to be in use on about 57% of the 10,000 most popular websites 

The view that analytics cookies always require consent was also put forward by the UK’s ICO, while other regulators have taken a more lenient approach, such as French and German regulators, arguing that these cookies may be exempt if certain requirements are met. 

Timeframes and Re-Confirming Consent

Under the GDPR principle of ‘storage limitation’, when cookies retain personal data, data controllers cannot retain personal data for any longer than is necessary for the purpose for which it was collected. Although the guidance does not advise on an appropriate length of time, the DPC does state that consent should be resought every six months.

Accessibility

The DPC is the first supervisory authority to require that website operators design interfaces to accommodate for those with vision impairments or colour blindness. For example, the use of green and red sliders or buttons to signify Yes or No options may not be easily distinguishable for those with red/green colour blindness. 

The DPC suggest that when designing your interface, you should test it with people with vision impairments to make sure that it is fully accessible. 

Cookie Walls

A cookie wall prevents a user from accessing a website without first accepting cookies. However, the DPC’s view is that this causes detriment to the user, and is no longer acceptable. 

 

Location, location, location

Though precise geolocation information is not a special category of information under the GDPR, the DPC does view it as sensitive information. Therefore, if you are using any cookies or tracking technologies to collect precise geolocation data, you must now collect clear and explicit consent. 

 

Accountability

Finally, the DPC reminded controllers that if you use systematic monitoring or tracking user’s behaviour or location for the purposes of profiling, you must complete a Data Protection Impact Assessment (DPIA) to understand the risks to the rights and freedoms of data subjects. 



Next Steps

The DPC has warned organisations they have six months to comply with its recommendations before it starts to roll out enforcement actions and fines under the Irish Data Protection Act 2018.

Up until now, the DPC has received criticism from other European jurisdictions due to its lack of enforcement. This may have been somewhat unfair as substantial effort is being made with cases against global tech companies with bottomless pockets to defend legal cases. However, what is clear now is that the DPC does intend to actively exercise enforcement powers against websites and apps that do not comply with cookie law. 

Website owners and those managing websites on behalf of others can no longer “wait-and-see” and organisations must take the necessary steps to comply.

Contact us today and find out how Apex can help you get your business fully compliant! 

Author - Paula Mahoney

Junior DPO at Apex Privacy