The Data Protection Commission’s “Cookies Sweep” and Obligations on Data Controllers7 September, 2020
Cookies are small files of letters and numbers stored on a browser or the hard drive of a computer or other internet-enabled device. Cookies can serve a number of important functions, including to remember a user and their previous interactions with a particular website. They allow a website to recognise a user’s device and are widely used to make websites work, or work faster and more efficiently, and at the same time they provide information to the owners of the website about its users. While this information may contain technical and non-personal data, such as device type or settings, it may also contain personal data, such as a unique identifier, user name, IP address or an email address.
The purpose of this survey or cookie “sweep” was to examine overall compliance with Regulation 5 of the ePrivacy Regulations (S.I. No. 336/2011) (the “ePrivacy Regulations”), which implements Article 5 of the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) and to determine whether the organisations examined were complying with the law. The ePrivacy Regulations require that users have been provided with “clear and comprehensive information” and have given their consent to the placement of cookies, before organisations place cookies on a user’s device.
In particular, the DPC set out to clarify how the selected data controllers acquired the consent of their website users to deploy cookies and tracking technologies. The DPC have stated that the standard of such consent should meet the requirements set out under the Article 4(11) of the General Data Protection Regulations (the “GDPR”) i.e. “a clear, affirmative act and be freely given, specific, informed and unambiguous”.
Results of the “Cookie Sweep”
In its Report, the DPC have noted the use of a classification system to grade each controller using a Red, Amber and Green system to signify the level of compliance. Of the controllers surveyed, the following grades were given:
• 20 were given an Amber grading which “signalled a good response and approach to compliance, but at least one serious concern”. Three were given a borderline Amber to Red grading.
• 12 controllers were given a Red grading which was “a poor or incomplete response or questions not understood with several serious concerns”.
• Just two controllers received a Green grading which “indicated a very good response, substantially compliant, any concerns straightforward and easily remedied”, with one a borderline Green to Amber.
According to the DPC, “the majority of the 38 controllers examined were found to have potential compliance issues, particularly in relation to reliance on implied consent for setting non-exempt cookies, the setting of cookies on landing without any engagement by the user with consent banners or other tools, lack of choice for users to reject all cookies, bundling of consent for all purposes and the possible misclassification of cookies as ‘necessary’ or strictly necessary when they may not avail of one of the two exemptions provided in the ePrivacy Regulations.”
The results of the cookie sweep highlights a lack of understanding within organisations of what is required of them and has raised concerns about the number of non-compliant uses of cookies which were identified.
The DPC are now urging all data controllers to review the new Guidance which is has published on foot of the Report, and to begin their compliance programme. The DPC have indicated that they expect the non-compliant uses of cookies to be resolved by all controllers within the jurisdiction by 5th October 2020, at the latest. The Guidance document sets out some very useful information on what is required of organisations, and ought to be considered by all organisations who act as a data controller, to ensure they are meeting the requirements of both the ePrivacy Regulations and the GDPR.
The main recommendations highlighted by the DPC to controllers in reviewing their cookie usage can be summarised as follows:
• Controllers must give consideration to accessibility issues when designing their browser and mobile user interfaces. As best practice, sliders or check boxes should be clearly marked as ON or OFF, even if they also have a binary colour choice, in order that the user is not forced to guess at their functionality.
• Controllers must examine all cookies categorised as ‘necessary’ or ‘strictly necessary’ to determine whether they are covered by the two exemptions set out in Regulation 5(5) of the ePrivacy Regulations.
• Pre-checked boxes relating to cookie settings should be removed from websites.
• Cookie banners should not ‘nudge’ users into accepting cookies.
• An option to reject in a cookies banner must have the same prominence as an option to accept.
• Non-necessary cookies should not be set prior to the user clicking on the cookie information and consent is always required.
• The “Article 29 Working Party Opinion 4/2012” on the cookie consent exemption should be studied by controllers.
• Consent is to be obtained for each purpose for which cookies are set (this does not mean that consent needs to be obtained for each cookie individually, just for the purpose its used).
• Consent may not be bundled.
• Users must be able to vary / withdraw their consent easily at any time via the website.
• Analytics, targeting and marketing cookies require consent.
• The cookies lifespan should be proportionate.
• Controllers must examine the possible joint controller issues arising from the use of third-party assets and plugins and put in place controller-processor contracts where necessary.
• The use of a consent management platform will not in itself ensure compliance. The controller must ensure that such tools operate effectively and if a user selects preferences, these must be respected and recorded.
• The processing of data following the setting of cookies is deemed the processing of personal data which is subject to the GDPR.
It is clear from the Report and Guidance published by the DPC that it will seek to ensure all controllers are in compliance with the ePrivacy Regulations, and where controllers fail to voluntarily make changes to their interfaces, the DPC will use its enforcement powers under both the ePrivacy Regulations and the GDPR, including the use of audits and inspections. In light of this, it is recommended that all relevant organisations within the jurisdiction take the necessary steps to ensure compliance prior to the impending deadline. If you have any queries or if you would like to discuss this content in further detail, our data protection team would be happy to assist.
This note is for general information purposes and does not constitute legal advice. Legal advice must be obtained for all individual circumstances. Each case must be assessed on its own merits
About The Authors
Laura Myles is the Head of Technology and IP at Flynn O’Driscoll Business Lawyers with 25 years’ experience in intellectual property and technology law and practice…..
Áine joined the Corporate and Commercial team at Flynn O’Driscoll in May 2019. Prior to joining the firm, she trained and worked in a mid-sized firm in Dublin, and gained experience in both commercial and civil litigation, conveyancing, landlord and tenant and data protection law…..
Having spent two years working in the tax department of Grant Thornton, Nolene joined the Aviation and Corporate team in Flynn O’Driscoll in September 2017……