Out-Law / Your Daily Need-To-Know

Irish cookies guidance updated after failings identified

Out-Law News | 09 Apr 2020 | 3:44 pm | 4 min. read

Businesses operating websites and apps in Ireland have been given until 6 October this year to update their policies and practices on 'cookies' in line with new guidance issued by the Data Protection Commission (DPC). Cookies are small text files that record internet users' online activity.

The regulator has moved to update its guidance on cookies and other tracking technologies after identifying "widespread" failings of compliance during a 'sweep' of websites last year. The guidance will not be enforced until after six months have expired from its date of publication on 6 April, the DPC said.

"The fact that bad practices were widespread even among companies and controllers that are household names suggests a more systemic issue that must be tackled firstly with the publication of new guidance, followed by possible enforcement action where controllers fail to voluntarily bring themselves into compliance," the DPC said in its report.

Carney Andreas

Andreas Carney

Partner

Any organisations using cookies, particularly those for which user consent is needed, should carry out a cookies and tracker audit and update their website to meet the requirements set out in the guidance

Dublin-based technology law expert Andreas Carney of Pinsent Masons, the law firm behind Out-Law, said: "The publication of the guidance is the DPC’s first step to addressing the issues, with potential for enforcement to follow. The detailed guidance on cookies and trackers, with useful examples, provides clarity on what is required. Elements of the guidance will take some businesses by surprise."

"Businesses should not waste the six months they have been given before the DPC begins to enforce the new guidance. Any organisations using cookies, particularly those for which user consent is needed, should carry out a cookies and tracker audit and update their website to meet the requirements set out in the guidance," Carney said.

The DPC's sweep, which took place between August and December 2019, involved a review of how 38 well-known organisations apply cookies and manage user consent. Those organisations operate in media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector. The DPC noted that the organisations included controllers whose use of cookies had come to the attention of the DPC through complaints from the public, and so appear to have been on the DPC's 'radar'.

One specific concern the DPC identified was some organisations' continued reliance on implied consent to the use of cookies.

Nicola Barden of Pinsent Masons said:  "A number of data protection authorities in the EU have provided guidance on cookies and their views sometimes differ. The DPC has, very helpfully, flagged where its view differs from other data protection authorities (DPAs). These are important for controllers which operate websites across the EU as it highlights a requirement for such controllers to take account of guidance from each EU member state where it operates, regardless of the harmonisation of rules that the General Data Protection Regulation (GDPR) was intended to provide."

"On implied consent specifically, the DPC has said that it does not accept implied consent as meeting the requirement to obtain consent for cookies. This aligns with guidance from the French, German and UK DPAs, but not with the Spanish DPA," Barden said.

The EU's 'cookie law' – the Privacy and Electronic Communications (e-Privacy) Directive – provides that storing and accessing information on users' devices is, generally, only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".

The DPC guidance has highlighted that the law applies to any storage of information on a user’s device or equipment, as well as to access to any information already stored on the equipment, such as through using browser cookies or technologies such as device fingerprinting. The information that is stored or accessed does not need to comprise personal data in order for the requirements to apply.

The standard of consent relevant to the requirements was updated, however, when the GDPR took effect in May 2018. Consent must, in general, be freely given, specific and informed. It must also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action. Explicit consent is required in instances where businesses intend to process special category personal data, including through the use of cookies.

An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user. The DPC said it was "clear" from its sweep that some organisations "may either misunderstand the ‘strictly necessary’ criteria, or that their definitions of what is strictly necessary are rather more expansive than the definitions provided" for in cookie law.

Among other concerns flagged by the DPC include the inability of users to withdraw or vary their consent; the setting of cookies which require consent as soon as a user lands on their website, without any engagement by the user with a consent management platform or cookie banner; and; reliance on consent for indefinite periods of time.

The DPC also clarified its views on so-called 'cookie walls', which is a term used to describe where businesses make user consent to cookies conditional on the user gaining access to their services.

The DPC said: "There are differing views among other DPAs about whether blocking a user’s access to a website on the basis that a user has not consented to cookies is compliant. We are of the view that users should not suffer any detriment where they reject cookies or other tracking technologies, other than to the degree that certain functionality on the websites concerned may be impacted by that rejection."

The DPC also said that 10 of the 38 organisations were found to rely on pre-checked boxes for consent to cookies. A ruling by the EU's highest court last autumn found that that practice is not compliant with EU cookie laws.