Home Knowledge Grace Period for Cookies Compliance: Websites Must Meet the Data Protection Commission’s Standards of Compliance or Risk Enforcement

Grace Period for Cookies Compliance: Websites Must Meet the Data Protection Commission's Standards of Compliance or Risk Enforcement

 

On 6 April 2020, the Data Protection Commission (DPC) published a report and separate guidance on Cookies and Other Tracking Technologies (Guidance), a key area of enforcement for the DPC. The DPC’s report, which found that the majority of websites were not compliant, was based on random sweeps of websites by the DPC in a broad range of sectors including media & publishing, insurance, sport & leisure, retail, hospitality and the government sector.

The Guidance, based on the findings of the report, takes a pragmatic approach and allows website and app operators a grace period of 6 months to arrange for compliance of their use of cookies and other tracking technologies (Cookies) with the Guidance. This grace period, which expires on 5 October 2020, demonstrates, in contrast to some other data protection authorities, that the DPC favours pragmatic compliance solutions backed up with a real threat of enforcement – rather than false deadlines or idealistic guidance which, in the context of COVID-19, are unlikely to be capable of being enforced. The Guidance makes it clear that a failure to comply by 5 October 2020 will be met with enforcement action by the DPC.

Cookies: Legal Framework

There are two legal frameworks applicable to the use of Cookies: the e-Privacy Regulations (SI No. 336 of 2011) (e-Privacy Regulations) and the General Data Protection Regulation (GDPR). Under the e-Privacy Regulations, Cookies can only be used where a website user:

  • consents to the use of Cookies (unless an exemption applies – see below); and
  • has been provided with clear and comprehensive information which: (a) is prominently displayed; and (b) includes, without limitation, the purposes of the processing of the information (e.g. Cookies banner).

The GDPR must also be applied where Cookies involve the processing of personal data relating to users and, in that event, the standard of consent required is the GDPR standard.

Key Points from the DPC’s Guidance 

The Guidance includes some important insights into the use of Cookies, including some “best and worst” examples of Cookies banners. The following are what we consider to be the key points from the Guidance: 

  • Be clear as to what type of Cookies require consent: The DPC emphasises that Cookies can only be used without consent where the Cookie is either: (a) used for the sole purpose of carrying out the transmission of a communication; or (b) strictly necessary to provide a service explicitly requested by the user. Websites and apps must assess whether a Cookie falls within these exemptions before it is deployed. The Guidance suggests that features, such as chatbots, are not strictly necessary and should not be activated until a user’s consent is obtained. 
  • Consent cannot be “bundled” and an “all or nothing” approach to accepting / rejecting Cookies is not acceptable: One consent for multiple purposes is not acceptable and a user’s consent must be specific to each purpose for which the user’s data are processed (not each Cookie).
  • Consent expires after 6 months for non-exempt Cookies: The DPC considers 6 months to be an appropriate timeframe for storing a user’s consent preference in the case of non-exempt Cookies; any period beyond this needs to be objectively justified on a case-by-case basis.
  • Pre-checked boxes/sliders and implied consent are a NO: The DPC is clear that consent is not valid in its view where the website/app operator relies upon: (a) implied consent (for example, using Cookie banner wording such as “by continuing to use this website, you consent to the use of cookies”); (b) pre-ticked boxes; (c) sliders defaulted to “on”; or (d) other means of passive consent collection.
  • Non-exempt Cookies cannot be switched on automatically when a user lands on a website: Consent must always be obtained before non-exempt Cookies are set or deployed on a user’s device (e.g. analytics Cookies).
  • Easily withdraw consent or change permissions for Cookies: The user must be able to withdraw consent (as easily as it was given) or update/change permissions for Cookies.
  • Clarification on “clear and comprehensive information”: The DPC clarifies that, if a Cookie processes personal data, then the transparency requirements of the GDPR are triggered. This may lead to duplication between a website/app’s privacy statement and Cookies policy, however the DPC recommends that these documents be maintained separately.
  • De minimis information for Cookie banners: The DPC stresses that Cookie banners must: (a) not obscure the text of a website privacy statement or Cookies policy; and (b) provide, at a minimum, a mechanism allowing users to reject non-exempt Cookies or request more information about the use of Cookies.
  • Future proofing for proposed EU e-Privacy Regulation is misguided: The DPC states that controllers must focus on complying with the current regulatory regime for Cookies rather than attempting to future proof for the proposed EU e-Privacy Regulation. We agree that this DPC recommendation makes sense given that many aspects of the proposed EU e-Privacy Regulation are far from settled.

Next Steps for Websites and Apps 

The Guidance provides clarity to website/app operators struggling to collect and maintain consent to Cookies. On a practical level, the key takeaways are that the current Cookies regime is the focus and will be enforced (not the proposed EU e-Privacy regulation); consent to Cookies cannot be an afterthought; and, from 5 October 2020, the DPC will be rolling-out enforcement measures with the imminent risk of administrative fines and being ‘named and shamed’. Websites/apps must use the next few months to ensure compliance with the standards set by the Guidance ahead of the deadline. 
 

Contributed by: Kate Corcoran and Rachel Hayes