The updated guidance on Cookie Law and Privacy Management by the Irish Data Protection Commission (DPC) is published. Here is what you need to know about it and what to do next.
If you would rather read about the crux of it instead of the entire report then here is what it entails in a brief nutshell. According to the updated guidance on Cookie Law and Privacy Management by the Irish Data Protection Commission, businesses are required to do the following:
The first and foremost thing to learn from the report and the guidance is that implied consent is not legal or adequate.
The second obligation that site owners have is to make sure that there is no nudging. Controllers should not nudge users into taking less privacy-friendly options. The site should assist the user in making better and more well-informed decisions regarding their own privacy.
Thirdly, all controllers must allow accessibility when designing interfaces. This ranges from the choice of colour schemes to font and other UI/UX tools. The Commissioner also recommends testing UXs with users who have a vision or reading impairments to ensure that they are as accessible as possible. This is something that the Seers Cookie Consent Management Solution already takes care of. In fact, at Seers, you can obtain a cookie consent management solution similar to the one placed on the Information Commission Office’s (ICO) own website.
Another key recommendation found in the report, as well as the guidance, is that websites must not exhibit any standard consent. This includes pre-ticked boxes which users must deselect to refuse consent.
It may seem astounding but 10 of the 38 controllers audited by the DPC were using pre-ticked boxes to obtain consent. This is, however, unlawful.
There is an exemption to consent for strictly necessary cookies to provide an online service requested by the user, however, it is narrow and limited to temporary use.
Another key area of attention in the report and the guidance is the use of analytics cookies. The permissible use of these is limited and must be clarified. Cookies used to analyse how users navigate a website or app and how they engage with its content are also considered as somewhat sensitive.
Transparency obligations in the report are as follows:
- The cookie usage shall meet the transparency requirements under Articles 12-14 GDPR (as applicable).
- Banners must be readable and undisrupted by chatbots or other features on the page.
- Controllers need to list all third parties whose cookies or assets are impacting their websites.
- Cookie uses must be clearly explained for the reader or visitor who may not already know.
- Where a controller has multiple websites there must be different privacy notices customised for every site.
Another Cookie sin that organisations and websites take upon themselves is to build Cookie Walls. A Cookie wall is defined as providing access to a website on the condition that cookie consent is obtained. According to the report:
‘We are of the view that users should not suffer any detriment where they reject cookies or other tracking technologies other than to the degree that certain functionality on the websites may be impacted by the rejection.’
In another guidance by the ICO, UK’s privacy watchdog, the updated cookie guidance, nullifies that legitimate interest will be enough as a lawful basis for the processing of cookies derived from personal data which is used for direct marketing or profiling purposes.
It is evident in the guidance that the Commissioner is concerned with special category data, such as health data, being unlawfully shared with a monetary or marketing intent.
The precise geolocation data is not special category data under Article 9 of the General Data Protection Regulation (GDPR), it is still recognised as a form of sensitive data that holds the potential to unveil intimate insights into a user’s life, therefore, any cookies or tracking technologies that involve the processing of data on the precise location of a user require clear and explicit consent.
Accountability: The guidance reminds controllers that if they are using systematic monitoring and tracking of user’s location or behaviour for profiling purposes then a Data Protection Impact Assessment (DPIA) will be required.
All companies operating in the EU and the UK have a time frame of 8 weeks to switch to using compliant cookie consent management solutions. This 8-week period shall end in October 2020. You can protect your organisation and become compliant with the regulation by using the Seers market-leading Cookie Consent Management Solution.
Implementing the Seers Cookie Consent Management Solution will take a few minutes or less. You shall be able to eliminate and curb several legal threats, compliance concerns and risk of litigation through the use of this cookie consent management solution. It is fully compliant with the regulatory guidance by the Data Protection Commission Ireland.