On 6 April 2020, the Data Protection Commission (DPC) published a report and separate guidance on Cookies and Other Tracking Technologies (Guidance), a key area of enforcement for the DPC. The DPC’s report, which found that the majority of websites were not compliant, was based on random sweeps of websites by the DPC in a broad range of sectors including media & publishing, insurance, sport & leisure, retail, hospitality and the government sector.
Cookies: Legal Framework
- has been provided with clear and comprehensive information which: (a) is prominently displayed; and (b) includes, without limitation, the purposes of the processing of the information (e.g. Cookies banner).
The GDPR must also be applied where Cookies involve the processing of personal data relating to users and, in that event, the standard of consent required is the GDPR standard.
Key Points from the DPC’s Guidance
- Be clear as to what type of Cookies require consent: The DPC emphasises that Cookies can only be used without consent where the Cookie is either: (a) used for the sole purpose of carrying out the transmission of a communication; or (b) strictly necessary to provide a service explicitly requested by the user. Websites and apps must assess whether a Cookie falls within these exemptions before it is deployed. The Guidance suggests that features, such as chatbots, are not strictly necessary and should not be activated until a user’s consent is obtained.
- Consent cannot be “bundled” and an “all or nothing” approach to accepting / rejecting Cookies is not acceptable: One consent for multiple purposes is not acceptable and a user’s consent must be specific to each purpose for which the user’s data are processed (not each Cookie).
- Consent expires after 6 months for non-exempt Cookies: The DPC considers 6 months to be an appropriate timeframe for storing a user’s consent preference in the case of non-exempt Cookies; any period beyond this needs to be objectively justified on a case-by-case basis.
- Non-exempt Cookies cannot be switched on automatically when a user lands on a website: Consent must always be obtained before non-exempt Cookies are set or deployed on a user’s device (e.g. analytics Cookies).
- Easily withdraw consent or change permissions for Cookies: The user must be able to withdraw consent (as easily as it was given) or update/change permissions for Cookies.
- Clarification on “clear and comprehensive information”: The DPC clarifies that, if a Cookie processes personal data, then the transparency requirements of the GDPR are triggered. This may lead to duplication between a website/app’s privacy statement and Cookies policy, however the DPC recommends that these documents be maintained separately.
- Future proofing for proposed EU e-Privacy Regulation is misguided: The DPC states that controllers must focus on complying with the current regulatory regime for Cookies rather than attempting to future proof for the proposed EU e-Privacy Regulation. We agree that this DPC recommendation makes sense given that many aspects of the proposed EU e-Privacy Regulation are far from settled.
Next Steps for Websites and Apps
The Guidance provides clarity to website/app operators struggling to collect and maintain consent to Cookies. On a practical level, the key takeaways are that the current Cookies regime is the focus and will be enforced (not the proposed EU e-Privacy regulation); consent to Cookies cannot be an afterthought; and, from 5 October 2020, the DPC will be rolling-out enforcement measures with the imminent risk of administrative fines and being ‘named and shamed’. Websites/apps must use the next few months to ensure compliance with the standards set by the Guidance ahead of the deadline.
Contributed by: Kate Corcoran and Rachel Hayes