On April 6, 2020, The Irish Data Protection Commission (the “DPC”) published a report and a guidance note on cookies and other tracking technologies. This guidance was published to improve the public’s understanding of cookies and similar tracking technologies following a “cookie sweep” of selected websites across a range of sectors that took place between August 2019 and December 2019 of 38 data controllers. Organisations were given a six-month time period to comply with the DPC’s new cookie guidance which ended on October 6, 2020. Thus, the DPC now has the right to take action to enforce the new cookie guidance.
This particular “cookie sweep” requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is a provision under the existing cookie law and privacy framework that such a test can be conducted as and when a privacy watchdog deems fit.
It was this report that significantly influenced the guidance. The guidance also discusses other case scenarios that the DPC seems likely to focus its enforcement efforts on and take strict action.
According to the announcement, the DPC will allow a period of six months from the date of publication of the guidance for data controllers to become compliant. This means that they need to bring their websites and mobile apps into reasonable legal compliance or else they will be subject to enforcement action.
This guidance and other cookie guidance produced by EU data protection authorities are quite similar. This one in particular, is very similar to the one issued by the UK’s Information Commissioner’s Office (ICO) last year.
The key areas covered by the guidance include:
- Analytics cookies require consent. They have summarised that all analytics cookies may be exempt if certain requirements are met.
- Implied consent is unacceptable. The question of implied consent has been much debated. For example, language such as “By continuing to use this site, you agree to the use of cookies” is no longer clearly permissible. This is generally unanimous across European regulatory bodies. Though with the exception of the Spanish authority so far.
- Pre-checked boxes and sliders set to ‘on’ as default are non-compliant. The general European guidance, the GDPR law and the Court of Justice of the European Union Planet 49 decision already second this statement.
- A cookie consent banner must not obscure the text of the privacy or cookie notice. Users must be offered the option to provide their consent before the cookies begin working on their system. The cookies should only begin work once the consent has been obtained.
- Where a cookie banner is used to record consent to the use of cookies, users should be asked to reaffirm their consent no longer than six months after it was first requested. The DPC and the French CNIL agree that this is mandatory. The ICO is yet to announce its verdict.
- A website operator must take accessibility into account. This should reflect in the design of interfaces that should accommodate people with vision impairments or colour blindness. It has been suggested that the interface should be tested with users who have vision or reading impairments to confirm accessibility.
- Organisations have six months until “enforcement action will commence”. This is standard procedure, the French CNIL and ICO have given organisations a similar grace-period. However, German authorities have not defined any time period as yet.
- Users should not be “nudged” into accepting cookies. The guidance clearly stated that if you use a button with an “accept” option then you must give equal prominence to a “reject” option or you are creating a bias. Although the nudge is not explicitly a part of the GDPR, it is missing from the guidelines by the ICO, CNIL and German authorities as well, this is still a key takeaway from this guidance.
- Consent management providers (“CMPs”) must revise. The report identified issues present in CMPs and ways to overcome these issues.
- Organisations must remember to conduct Data Protection Impact Assessments. The report suggests that this may be an area where the DPC will focus its investigation efforts.
A lack of DPIA’s can create problems for an organisation causing legal issues, damage to the firm’s reputation as well as loss of business. The legal fines have implemented across the EU. Irish DPC is one of the most aggressive data protection bodies in terms of the monetary corrective actions.
The report further states: “the use of inquiries (with or without investigation), inspections or audits to examine all aspects of a data controller’s processing activities…may be a particularly effective opinion should further action be considered necessary, for example, in relation to health-related websites or other sites where controllers link data from cookies to an explicit profile or identifier”.
Seers consent management solution
Let Seers help your organisation to become compliant with these additional guidelines published by the Irish Data Protection Commission by using our world-leading cookie consent management solution.