In August 2019, the Data Protection Commission (DPC) re-embarked on a cookie sweep to assess the general lay of the land across the jurisdiction. This involved an examination of a series of websites across a broad range of sectors, such as Media, Retail, Insurance and a selection of public bodies. A key focal point here was a series of organisations who had already been reported to the DPC due to a lack of compliance in this space.
The report, published in April 2020 revealed what many already knew to be the case; organisations and businesses offering goods and services in Ireland have a dreadful sweet-tooth and aren’t overly fond of letting data subjects block their access to the cookie jar.
The DPC provided exceptionally clear guidance on this topic, and in conjunction with a lengthy grace period of 6 months from the date of the published report and guidance for data controllers to bring their websites and mobile apps into compliance, there are no excuses after DPC-mandated deadline of October 5th 2020 when strict enforcement is set to begin.
How should this look? – Layering the Dough.
There are no hard rules here, but more-so a series obligations that can be achieved through various forms. The DPC has made it clear that a layered approach is best though:
For your first layer, when a user lands on a website or opens an app, they must be informed of the existence of cookies/trackers and their categorical consent should be sought before deployment. For your second layer, a standalone cookie notice should be provided containing more comprehensive information. This should include the names of the respective cookies, the party deploying them, their purpose and how they may be configured. All cookies/trackers other than strictly necessary cookies should be set to “off” by default.
You must also provide adequate information to visitors regarding third-party cookies/trackers being deployed. Depending on the relationship with said third-parties, and particularly in the case of joint controller relationships, site owners have an obligation to enter into an ‘agreement’ with third parties, with such agreements aiming to clarify responsibility in terms of facilitating data subject rights and make that information known to visitors. This may be facilitated via a link to that respective third-party’s cookie notice, provided that said third-party provides adequate information. When entering into any third-party agreements, clarification of what processing is involved, relationship status and correlating responsibility to inform should become a key point of action. Once you have conducted a general review of the tracking technologies being deployed, take the time to consider whether or not a Data Protection Impact Assessment is required. Where cookies/tracking technologies may allow your organisation or any third-party to cross-reference your visitors’ information with other information in order to build or enhance a profile on that visitor, then conducting a DPIA is mandatory – watch out Facebook.
Moving along, where the site owner uses a banner or pop-up to provide the visitor with information on tracking technologies it must give no particular credence towards acceptance of said technologies over seeking further information. In the DPC’s report they offer an example of a “better” cookie banner which gives a snippet of information around the types of trackers used on the website along with a link to their cookie notice and two options – “Cookie Settings” and “Accept Cookie Settings”.
We can only assume here that by selecting the second option without having toggled any individual settings, only “strictly necessary” cookies would be deployed. However, as stated in the guidance note, this is not perfect as there remains an emphasis on acceptance without clarification as to what will and will not be deployed. This should be avoided.
An improvement on this would be the likes of a pop-up displaying each category of cookie/tracker, accompanied by information on their corresponding purpose, the option to provide individual consents (where required) and a link to a full cookie notice. The cookie notice, in and of itself, should explain the use and purpose of the trackers being deployed as well as the involvement of any relevant third-parties and the means by which the user can exercise their rights under the GDPR. Once interacted with, this pop-up could minimise into a ‘cookie button’ which would remain accessible at all times should the user wish to change/inspect their choices – the user must be able to withdraw consent as easily as provide it. This pop-up should, at a minimum, re-present itself at least once in any given 6-month period. For those using a separate cookie to record consents, the same applies. In the absence of a more recent indication of preference from the site user, this cookie should expire after no more than 6 months and the user again be presented with the pop-up to renew their consent.
No matter the method used, and as a final aside, banners or pop-ups should never obscure the website privacy/cookie notice, nor detract from their use.