knowledge 5 May 2020 |

A Renewed Focus on Cookies: New DPC Cookies Guidance and Future Enforcement

In Ireland, in the latter half of 2019, the Data Protection Commission (the “DPC”) conducted a survey (or ‘sweep’) on the use of cookies by a selection of 40 websites across a wide range of sectors. Participants were asked to answer questions on their use of cookies. Although it does not name participants, the DPC published its findings following that cookies sweep and, following on from those results, also published guidance in order to clarify some misconceptions and to give revised general guidance on the use of cookies. We have set out some key ‘takeaways’ from each publication below. Notably, the DPC indicated that it expects non-compliant practices to have been addressed by no later than October 2020, following which enforcement actions may arise.

1. Report on the use of cookies and other tracking technologies

The purpose of conducting the sweep was that the DPC could gain insights into how organisations are currently implementing cookies, whether they are complying with the existing law and also to allow organisations to reflect on their practices and focus on areas for improvement.

The sweep brought a number of compliance issues ranging from minor to serious in nature to the attention of the DPC. Overall, just under a third of organisations demonstrated bad practices in relation to cookie banners and in terms of the quality of their responses to the survey. Notably, many of the organisations set cookies without consent, had badly-formed cookie and privacy policies and were unclear as to whether they understood their obligations under the relevant legislation (e.g. the existing e-Privacy Regulations 2011¹ and the GDPR). Most websites also displayed cookie banners that featured an ‘accept’ option, without a corresponding ‘reject’ option.  The DPC found that, in most cases, even where users are offered more information about the cookies, this did not include an option to accept or reject cookies according to their purpose. A ‘nudging’ approach to web design was also noted by the DPC as widespread with users effectively forced into accepting all cookies.

The DPC also noted that most organisations surveyed set a wide range of cookies as soon as a user lands on their website.  In some cases, the DPC found that the cookies were set without the user giving consent or being prompted by a cookie banner, and that this included third party cookies which track browsing habits and online behaviour.  The DPC noted, in particular, that a large retail sector organisation was not fully aware of the functions of some of the third-party cookies set on its site. As such, the DPC reminded organisations that where organisations are employing third party technologies on their websites, the responsibility remains on them to be aware of their purpose. This is important in light of the fact that almost all of the organisations utilised third-party plugins on their websites. The main plugins used were Facebook, Twitter, Instagram and LinkedIn.

Following the Planet49² judgment of the European Court of Justice (“CJEU”) in October last year, it is now clear that consent is not valid if obtained through pre-checked boxes.  Despite that clear warning from the CJEU, the DPC cookies sweep found that over a quarter of the participating organisations were using pre-checked boxes to obtain consent. The DPC view is that these organisations (and others) will need to act quickly to rectify this issue.

The DPC noted that it had also become increasingly clear that in some cases where users changed preferences and opted out of certain cookies, these preferences were not updated or honoured by the organisations. The DPC also reminded organisations that it is not reasonable to assume that a user has consented to cookies merely by moving a mouse over a screen.

In the DPC’s view, the worst sector in terms of poor practices and poor understanding of the existing law was the restaurant and food-ordering sector. Many of the organisations which displayed bad practices used the same underlying ordering platform and app, which users have complained sets cookies and retains personal data without consent. Notably, the DPC considered that this third party app is a joint controller together with each restaurant website.

Overall, it was evident to the DPC that substandard practices and less than full compliance were common amongst surveyed organisations and that, as a result, updated regulatory guidance was necessary to tackle many of the issues that arose.

2. New DPC Cookies Guidance

As such, the DPC has now published revised and extended cookies guidance with a view to assisting organisations in better complying with the existing law relating to cookies (available here). This will be welcomed by most organisations and their advisers. Some key highlights from the guidance are considered below.

Consent:

In the guidance, the DPC reminds organisations that consent for the setting of cookies (where required) must be freely given, unambiguous and a statement of clear affirmative action as set out in the GDPR. There are two exemptions to this: (i) the communications exemption; and (ii) the strictly necessary exemption. The communications exemption is available for cookies whose sole purpose is for carrying out the transmission of a communication over a network. The strictly necessary exemption applies to information society services, and, to benefit from the exemption, the service must have been explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service.

Consent must be obtained for each individual purpose and cannot be bundled for multiple purposes. Good practice indicates that the first layer of communication should be the request for consent for specific purposes with a second layer to provide information on the categories of cookies set. The mere act of continuing to click through or scroll through a website does not indicate consent to cookies and is prohibited.

Nudging:

Banners or pop-ups cannot be designed or set up to ‘nudge’ a user into accepting cookies over rejecting them. Equal prominence should be given to ‘accept’ and ‘reject’ options.  Similarly, banners that disappear after further use of a website/platform are not compliant and do not indicate freely given and unambiguous consent.

Timelines:

The DPC explains that the expiry date of a cookie should be proportionate to its purpose. A session cookie used for, for example, remembering information in a shopping cart should be set to expire once it has served its function. As to consent, the DPC’s view is that users should be asked to reaffirm their consent to cookies every six months.

Special category data:

There are additional requirements for processing special category data. A controller must obtain ‘explicit consent’. The bar to demonstrate explicit consent is high. Whilst not constituting special category data, the DPC recommends that consent should be obtained for processing location tracking data. The CJEU has recognised the particular sensitivity and implications of processing this data.

User friendly interfaces:

The DPC advises that organisations should test their interface with users who have vision or reading impairments to ensure they are as accessible as possible to all users. Sliders should be labelled opt-in or opt-out in addition to colour coding.

Third parties:

Following the CJEU judgment in Fashion ID³, the DPC notes that when using ‘like’ buttons, plugins, widgets, pixel trackers or social media-sharing tools, organisations should be aware of what data is being sent to third parties and whether the website operator may also be considered a controller in respect of any personal data that it collects and discloses to those third parties. In the event that the information collected by third party cookies on an organisation’s website is deemed personal data, organisations will also have to comply with the obligations contained in the GDPR in addition to the ePrivacy regulations.

Enforcement:

Importantly, the DPC has allowed six months (from April 2020) for organisations to review and consider their existing cookies practices and, where necessary, to take action to bring these into compliance with the law.  After this point, the DPC has stated that enforcement action may ensue against those entities which do not bring their cookies practices into compliance. As to its priorities, the DPC indicated it is unlikely that first-party analytics cookies would be considered a priority for enforcement. As such, organisations now have a clear window of time in which to assess and rectify any issues with their compliance with the law and this recent helpful guidance.