Blog and News

The Data Protection Commission Cookie Sweep: The law in Practice

John Byrne - 18 September 2020

Blog post 2

In August 2019, the Data Protection Commission (DPC) re-embarked on a cookie sweep to assess the general lay of the land across the jurisdiction. This involved an examination of a series of websites across a broad range of sectors, such as Media, Retail, Insurance and a selection of public bodies. A key focal point here was a series of organisations who had already been reported to the DPC due to a lack of compliance in this space.

The report, published in April 2020 revealed what many already knew to be the case; organisations and businesses offering goods and services in Ireland have a dreadful sweet-tooth and aren’t overly fond of letting data subjects block their access to the cookie jar.

The DPC provided exceptionally clear guidance on this topic, and in conjunction with a lengthy grace period of 6 months from the date of the published report and guidance for data controllers to bring their websites and mobile apps into compliance, there are no excuses after DPC-mandated deadline of October 5th 2020 when strict enforcement is set to begin.

The Data Protection Commission Cookie Sweep: Everything You Need To Know

The Law in Practice

So what does the law mean in practice? First and foremost, consent cannot be bundled. Single consent will not allow for the deployment of multiple categories of tracking technologies – no more “Accept all” buttons. Second, users should be provided with clear information around the types of tracking technology that are active and how to enable/disable them – this information must be concise and not worded in such a way as to impact legibility and clarity on the part of the user. There is no ‘one size fits all’ here and rests entirely at the controllers discretion, however, it is highly recommended to err on the side of caution and take the age-old ‘explain it to me like you would to a child’ approach. Third, inactivity on the part of the user does not surmount to consent – Tracking technologies cannot be deployed simply because the user does not engage with a banner, nor does the ever-popular ‘If you continue to use this web-site, we assume your consent to our use of cookies’ fit the bill. Similarly, pre-checked boxes or presumed consent are not valid. Unless there is a clear, easily demonstrated provision of consent, deployment is not allowed and may incur a penalty.

Of the 38 websites surveyed in the sweep, two-thirds of organisations were found to go straight for the jar without asking for any form of permission. Cookies were deployed on the end-users hardware prior to any interaction with the corresponding pop-up, regardless of the pop-up’s level of compliance in terms of the choice offered. Now, it is worth mentioning at this point that getting your organisation’s cookie consent right is, by no means, an easy task. There are just so many variables to consider here – what information does your business wish to obtain? What information do you actually require?, Have you got the ability/capacity to run this entirely in-house? How do you set-about informing the end-user? How long should cookies be left active? The list goes on. Compounding this is the fact that, despite the legislation coming into force over a decade ago, it’s only in the last 8 months that we’ve seen some landmark enforcement around its interplay with the GDPR (and the clarification that came with that).

For many years, organisations were under the impression that you could simple deploy cookies on the fly and, provided you gave website visitors an adequate heads-up that the technology would be deployed should they continue scrolling, you were good to go. This left us with the well-known string of pop-up banners we have all come to love and now simply recognise as a hallmark of the internet. Often the responsibility was (and still is to this day…) placed on the individual user to manipulate their browser settings in such a way as to either accept or deny cookies. The main problem with this being that most browser settings lack the granularity of choice to differentiate between different categories of cookies/trackers – thus falling afoul of Art.4. Within the ePrivacy space, and more specifically with regard to tracking technologies, the GDPR’s standard of consent is now king and has been ruling, un-contested, over its domain ever since the Planet49 case came to a head in October 2019. 

But wait, there are exemptions to consent right? We “need” to drop certain cookies every now and then just to make our websites work and facilitate our visitors needs right? Well…sort of... The DPC flagged that there was a general misconception around what constitutes a “strictly necessary” cookie/tracker. The legislation itself reads as follows: The requirement to obtain consent to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user…

does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”.

The initial text denotes the use of load-balancing cookies and those used to ensure security. Without such technologies the site will not operate as expected and may leave visitors or site owners vulnerable. The latter half of the text is more ambiguous but the key words here are “explicitly requested”. So while it is perfectly acceptable for an online retailer to drop session cookies to handle shopping cart requirements without consent (as their potential customer clearly requires this to avail of the service offered), automatically dropping a persistent tracking cookie for analytical purposes will not fit the bill. The exemption essentially requires a two-step-test:

  1. The data subject has explicitly requested a service and;
  2. The cookies/trackers being deployed surmount to the bare minimum required to facilitate that request.

If you would like to learn more about The Data Protection Commission (DPC) Cookie Sweep and Guidance - considerations around Irish DPC guidance on the use of cookies and other tracking technologies “Guidance”, you can download your copy of our Free DPC Cookie Sweep and Guidance eBook by clicking on the button below.

Download Ebook

 

 

Previous Post

The Data Protection Commission Cookie Sweep: Preparing Your Recipe

Next Post

The Data Protection Commission Cookie Sweep: How should this look?

0 Comments