The Data Protection Commission (DPC) has become the latest EU supervisory authority to publish guidance on the use of cookies and other tracking technologies. The Guidance was published together with a Report, which contains the findings from a sweep of 40 organisations conducted by the DPC between August and December 2019. We outline some key insights for organisations.
The cookies rules
First, a quick re-cap on the rules governing the use of cookies, particularly as the DPC’s sweep revealed that some confusion exists on the applicable rules. In Ireland, the EU ePrivacy Directive, which contains the rules on cookies, is implemented by the ePrivacy Regulations (SI No. 336/2011). In short, consent is required to either store information, or gain access to information stored, on an individual’s device. This is the essence of the cookies rules. The two exceptions to this general rule are where:
- The sole purpose is for carrying out the transmission of a communication, or
- It is strictly necessary in order to provide an online service explicitly requested by that individual
These rules apply regardless of whether personal data is processed.
Consent
The Guidance reminds website operators that consent for cookies must meet the standard of the GDPR; namely, a “freely given, specific, informed and unambiguous indication of the data subject’s wishes… by a clear affirmative action”. Unsurprising, the DPC highlights that implied consent, whereby a user simply scrolls or clicks through a website, is not valid consent. Similarly, pre-checked boxes, sliders or other tools, which are pre-set or default to consent, are not compliant.
Users must be presented with optionality: “yes” or “no”, or “agree” or “disagree”. Merely having “OK” or “got it” language won’t suffice. The Guidance criticises nudge behaviours, which give one option prominence over the other. Consequently, equal prominence must be given to the option which allows the user to ‘reject’ or manage their cookie choices. Design of user interfaces should consider accessibility and the use of certain colours may impact users who are visually impaired or colour blind.
Consent must also be sought on a per-purpose basis and the Report suggests that analytics cookies, targeting cookies and marketing cookies require separate consents. This will have implications for website operators using dual purpose cookies. Another recommendation that is likely to attract attention is that users should be asked to reaffirm their consent choices every 6 months. Notably, the DPC acknowledges the legislation does not prescribe a specific lifespan for cookies.
Information to be provided to users
A prerequisite to obtaining consent is the provision of clear and comprehensive information to the user. Helpfully, the Guidance embraces layering as a means of complying with cookie transparency and informed consent requirements.
The first layer (such as the popup or banner) should advise the user that their consent is requested for the use of cookies for specific purposes, and link to a second layer which provides more detailed information about (i) the types of cookies in use and their purposes; (ii) the user’s choice to “opt-in” or accept these cookies; and (iii) the third parties who will process information collected when the cookies are deployed. Per the recent Planet 49 decision of the CJEU, information on duration of cookies should also be provided.
Helpfully, there are no set periods or duration for cookies set out in the Guidance but their duration should be proportionate to their purpose, which should be assessed on a case-by-case basis. For example, the DPC found an analytics cookie with a lifespan of 10 years to be disproportionate, in particular as the user had provided consent through the movement of their PC’s mouse.
Cookie banners and walls
Cookie banners that contain a link to more information about the use of cookies must link to easily readable text that is undisrupted by chatbots or other features on the page. Users must be able to read a website’s cookies and privacy policies without any cookies being dropped.
The Guidance itself does not cover cookie walls, which stop a user entering the website unless they agree to cookies, but the Report suggests that the DPC does not consider cookie walls permissible. If a user decides to “opt-out” or reject non-strictly necessary cookies, the user should not be removed from the website or suffered detriment, such as having the quality of the service diminished.
Oversight of CMPs
Utilising a Consent Management Platform (CMP) such as Cookiebot or One Trust – both of which are name-checked in the Report, will not discharge a website operator’s compliance responsibilities. CMPs should be tailored specifically to the needs of each website and must accurately record and respect consent preferences. If a CMP is used to keep a record of a user’s consent to the use of cookies, the website operator must still abide by its internal governance obligations and maintain a record of that consent as part of its record of processing activities under Article 30 GDPR.
Enforcement priorities
The Guidance indicates the DPC will afford website operators a six month grace period from date of publication, 6 April 2020, to bring their cookies practices into compliance.
Some of the DPC’s enforcement priorities can be deduced from the Guidance and Report. First, those operators that were found non-compliant during the 2019 sweep will be brought into compliance. Third party analytics cookies which pose a greater privacy risk will also be an enforcement priority.
Unlike some other Member States, the DPC is competent to enforce both the ePrivacy Regulations and GDPR. In relation to violation of the cookies rules, the DPC has the power to serve an enforcement notice which can require certain steps be taken within a specific time period. It is an offence to fail to comply with an enforcement notice, without reasonable excuse. The practical effect here is that, while failure to comply with the cookie rules is not itself an offence, failure to comply with a DPC enforcement notice without a reasonable excuse is a criminal offence, with the potential for a fine not exceeding €5,000.
For more information, contact a member of our Technology or Privacy & Data Security teams.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
