Out-Law News | 09 Apr 2020 | 3:44 pm | 4 min. read
The regulator has moved to update its guidance on cookies and other tracking technologies after identifying "widespread" failings of compliance during a 'sweep' of websites last year. The guidance will not be enforced until after six months have expired from its date of publication on 6 April, the DPC said.
"The fact that bad practices were widespread even among companies and controllers that are household names suggests a more systemic issue that must be tackled firstly with the publication of new guidance, followed by possible enforcement action where controllers fail to voluntarily bring themselves into compliance," the DPC said in its report.
Any organisations using cookies, particularly those for which user consent is needed, should carry out a cookies and tracker audit and update their website to meet the requirements set out in the guidance
Dublin-based technology law expert Andreas Carney of Pinsent Masons, the law firm behind Out-Law, said: "The publication of the guidance is the DPC’s first step to addressing the issues, with potential for enforcement to follow. The detailed guidance on cookies and trackers, with useful examples, provides clarity on what is required. Elements of the guidance will take some businesses by surprise."
"Businesses should not waste the six months they have been given before the DPC begins to enforce the new guidance. Any organisations using cookies, particularly those for which user consent is needed, should carry out a cookies and tracker audit and update their website to meet the requirements set out in the guidance," Carney said.
Nicola Barden of Pinsent Masons said: "A number of data protection authorities in the EU have provided guidance on cookies and their views sometimes differ. The DPC has, very helpfully, flagged where its view differs from other data protection authorities (DPAs). These are important for controllers which operate websites across the EU as it highlights a requirement for such controllers to take account of guidance from each EU member state where it operates, regardless of the harmonisation of rules that the General Data Protection Regulation (GDPR) was intended to provide."
"On implied consent specifically, the DPC has said that it does not accept implied consent as meeting the requirement to obtain consent for cookies. This aligns with guidance from the French, German and UK DPAs, but not with the Spanish DPA," Barden said.
The EU's 'cookie law' – the Privacy and Electronic Communications (e-Privacy) Directive – provides that storing and accessing information on users' devices is, generally, only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".
The DPC guidance has highlighted that the law applies to any storage of information on a user’s device or equipment, as well as to access to any information already stored on the equipment, such as through using browser cookies or technologies such as device fingerprinting. The information that is stored or accessed does not need to comprise personal data in order for the requirements to apply.
An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user. The DPC said it was "clear" from its sweep that some organisations "may either misunderstand the ‘strictly necessary’ criteria, or that their definitions of what is strictly necessary are rather more expansive than the definitions provided" for in cookie law.
Among other concerns flagged by the DPC include the inability of users to withdraw or vary their consent; the setting of cookies which require consent as soon as a user lands on their website, without any engagement by the user with a consent management platform or cookie banner; and; reliance on consent for indefinite periods of time.
The DPC also clarified its views on so-called 'cookie walls', which is a term used to describe where businesses make user consent to cookies conditional on the user gaining access to their services.
The DPC said: "There are differing views among other DPAs about whether blocking a user’s access to a website on the basis that a user has not consented to cookies is compliant. We are of the view that users should not suffer any detriment where they reject cookies or other tracking technologies, other than to the degree that certain functionality on the websites concerned may be impacted by that rejection."
The DPC also said that 10 of the 38 organisations were found to rely on pre-checked boxes for consent to cookies. A ruling by the EU's highest court last autumn found that that practice is not compliant with EU cookie laws.
28 Nov 2019
18 Jul 2019