Dublin-based technology law expert Andreas Carney of Pinsent Masons, the law firm behind Out-Law, said: "The publication of the guidance is the DPC’s first step to addressing the issues, with potential for enforcement to follow. The detailed guidance on cookies and trackers, with useful examples, provides clarity on what is required. Elements of the guidance will take some businesses by surprise."
"Businesses should not waste the six months they have been given before the DPC begins to enforce the new guidance. Any organisations using cookies, particularly those for which user consent is needed, should carry out a cookies and tracker audit and update their website to meet the requirements set out in the guidance," Carney said.
Nicola Barden of Pinsent Masons said: "A number of data protection authorities in the EU have provided guidance on cookies and their views sometimes differ. The DPC has, very helpfully, flagged where its view differs from other data protection authorities (DPAs). These are important for controllers which operate websites across the EU as it highlights a requirement for such controllers to take account of guidance from each EU member state where it operates, regardless of the harmonisation of rules that the General Data Protection Regulation (GDPR) was intended to provide."
"On implied consent specifically, the DPC has said that it does not accept implied consent as meeting the requirement to obtain consent for cookies. This aligns with guidance from the French, German and UK DPAs, but not with the Spanish DPA," Barden said.