The Irish Data Protection Commission (DPC) has published a report on the use of cookies and other tracking technologies along with an updated guidance note on cookies and other tracking technologies.
Background
In August 2019, the DPC conducted a survey of 38 websites cross a range of sectors including media and publishing, the retail sector, insurance, sport and leisure and the public sector. The purpose of this survey was to examine whether organisations were complying with the law, particularly the use of cookies. From the survey, the DPC noted that almost all the websites had compliance issues ranging from minor to serious. As a consequence of this, the DPC revised its guidance note on the use of cookies.
What are cookies and tracking technologies?
Cookies are small text files stored on devices, such as mobile phones, that can store information. They serve important functions such as remembering a user and their previous interactions with a website as well as keeping track of items in an online shopping cart. Other types of cookies and tracking technologies include local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), ‘like’ buttons and social sharing tools, and device fingerprinting technologies.
Key points from the DPC
- Consent is required for the setting of cookies (whether or not the cookies collect personal data) and under the GDPR, the level of consent means a clear affirmative action by the data subject. However, consent is not required where (i) the sole purpose of the cookie is to carry out the transmission of a communication over a network; or (ii) the cookie is strictly necessary to provide an information society service that is explicitly requested by the user.
- It should be possible to withdraw consent as easily as it was given.
- Consent for cookies must not be bundled with consent for other purposes. Consent must be obtained for each purpose that cookies are set (eg analytics, targeting and marketing) although consent does not need to be obtained for every cookie (eg it is not necessary for cookies that are "necessary" to deliver a service such as to remember preferences).
- Pre-checked boxes or sliders or other tools set to 'ON' by default should not be used to signal a user's consent to the setting of cookies.
- Consent should be time limited. While the law does not prescribe specific lifespans for cookies, the DPC recommends that companies ask users to reaffirm their consent no longer than six months after it has been provided.
- The use of a cookie banner or pop-up must not 'nudge' a user into accepting cookies. An option to reject must have equal prominence in a banner. Furthermore, a cookie banner that merely gives the user the option to click “accept” to say yes to cookies and which provides no other option is not compliant. This means banners with buttons that read “ok, got it!” or “I understand“ and which do not provide any option to reject cookies or to click for further, more detailed, information do not meet the standard of consent required.
- Implied consent for the use of cookies is not sufficient. The DPC does not consider banners which inform users that by continuing to use the website – either through clicking, using or scrolling – it is assuming that they consent to the use of cookies to be compliant. Furthermore, it is not possible to rely on the user's browser setting to infer consent.
- Links to privacy and cookie policies should be visible and accessible to users without any cookies being set
- The lifespan of a cookie must be proportionate to its function – for example, it would not be considered proportionate to have a session cookies with a lifespan of "forever".
- Users must be provided with “clear and comprehensive information” about the use of cookies. This information must include the types and purposes of the cookies being set, the third parties who may have access to those cookies and the duration of the operation of the cookies. Where the processing involves personal data, the transparency requirements in Articles 12-14 GDPR must also be complied with.
- Cookies or other technologies to track the location of a user or device should not be used without consent.
The DPC has given companies 6 months to bring their websites and apps into compliance, following which enforcement action will follow for those that are not compliant. Interestingly, the DPC has said that first-party analytics cookies (ie cookies set by the host website as opposed to a third party cookie set by a domain other than the one the user is visiting) are likely low risk and therefore are unlikely to be a priority for enforcement. However, as it is clear that the DPC does intend to exercise its enforcement powers later this year, there is no time to lose – businesses should, without delay, review their cookie policies.
For more information, please contact Maureen Daly (m.daly@beauchamps.ie) or any member of the Data Protection team.