The cookies rules
- The sole purpose is for carrying out the transmission of a communication, or
- It is strictly necessary in order to provide an online service explicitly requested by that individual
These rules apply regardless of whether personal data is processed.
The Guidance reminds website operators that consent for cookies must meet the standard of the GDPR; namely, a “freely given, specific, informed and unambiguous indication of the data subject’s wishes… by a clear affirmative action”. Unsurprising, the DPC highlights that implied consent, whereby a user simply scrolls or clicks through a website, is not valid consent. Similarly, pre-checked boxes, sliders or other tools, which are pre-set or default to consent, are not compliant.
Users must be presented with optionality: “yes” or “no”, or “agree” or “disagree”. Merely having “OK” or “got it” language won’t suffice. The Guidance criticises nudge behaviours, which give one option prominence over the other. Consequently, equal prominence must be given to the option which allows the user to ‘reject’ or manage their cookie choices. Design of user interfaces should consider accessibility and the use of certain colours may impact users who are visually impaired or colour blind.
Consent must also be sought on a per-purpose basis and the Report suggests that analytics cookies, targeting cookies and marketing cookies require separate consents. This will have implications for website operators using dual purpose cookies. Another recommendation that is likely to attract attention is that users should be asked to reaffirm their consent choices every 6 months. Notably, the DPC acknowledges the legislation does not prescribe a specific lifespan for cookies.
Information to be provided to users
A prerequisite to obtaining consent is the provision of clear and comprehensive information to the user. Helpfully, the Guidance embraces layering as a means of complying with cookie transparency and informed consent requirements.
Helpfully, there are no set periods or duration for cookies set out in the Guidance but their duration should be proportionate to their purpose, which should be assessed on a case-by-case basis. For example, the DPC found an analytics cookie with a lifespan of 10 years to be disproportionate, in particular as the user had provided consent through the movement of their PC’s mouse.
Cookie banners and walls
The Guidance itself does not cover cookie walls, which stop a user entering the website unless they agree to cookies, but the Report suggests that the DPC does not consider cookie walls permissible. If a user decides to “opt-out” or reject non-strictly necessary cookies, the user should not be removed from the website or suffered detriment, such as having the quality of the service diminished.
Oversight of CMPs
The Guidance indicates the DPC will afford website operators a six month grace period from date of publication, 6 April 2020, to bring their cookies practices into compliance.
Some of the DPC’s enforcement priorities can be deduced from the Guidance and Report. First, those operators that were found non-compliant during the 2019 sweep will be brought into compliance. Third party analytics cookies which pose a greater privacy risk will also be an enforcement priority.
Unlike some other Member States, the DPC is competent to enforce both the ePrivacy Regulations and GDPR. In relation to violation of the cookies rules, the DPC has the power to serve an enforcement notice which can require certain steps be taken within a specific time period. It is an offence to fail to comply with an enforcement notice, without reasonable excuse. The practical effect here is that, while failure to comply with the cookie rules is not itself an offence, failure to comply with a DPC enforcement notice without a reasonable excuse is a criminal offence, with the potential for a fine not exceeding €5,000.
The content of this article is provided for information purposes only and does not constitute legal or other advice.