Irish DPC updates cookie guidance on foot of cookie sweep report
The Irish Data Protection Commission (DPC) has issued a guidance note on cookies and other tracking technologies. This guidance accompanies the release of a report outlining the results of a cookie sweep conducted on 40 website operators. It is the most significant and detailed guidance that the DPC has issued to date on the processing of cookies and similar tracking technologies and warrants close scrutiny by website operators (herein assumed to be data controllers).
In recent months, we have seen concerted efforts from data protection authorities to highlight controllers’ obligations in this area, with many releasing updated guidance and indicating a renewed intention to enforce these obligations. This report and its accompanying updated guidance marks a significant line in the sand being drawn by the DPC.
Importantly, a six-month period has been allowed for controllers based in Ireland to bring their cookie processing practices into alignment with legislation, at which point, the DPC has indicated that further action, including enforcement action will be considered.
With this in mind, it is imperative that website operators (including mobile app controllers) review their current cookie processing practices now, to ensure the following:
- consent must be gained for any storage or access to information on users’ devices. Only strictly necessary cookies may be processed without consent;
- consent should be gained for each processing purpose (not necessarily each cookie) that requires storage or access to information on a users’ device, or enables the website operator to build a profile of a user using similar technologies (e.g. tracking pixels, browser fingerprinting);
- consent needs to meet the standard defined in the GDPR Article 4(11) of being freely given, specific, informed and an unambiguous indication of the data subject’s wishes;
- only ‘strictly necessary’ cookies do not require consent. It’s important to note that there is a very narrow definition for what is considered ‘strictly necessary’ and the DPC has remarked that controllers have typically been interpreting this exemption too broadly.
An example illustrated in the DPC guidance relates to the provision of a chatbot function on a website, something which has become quite common in recent years. The DPC makes clear that such cookies used to provide this functionality do not meet the definition of ‘strictly necessary’ and first need to be consented to by the user. Therefore, the chatbot functionality should not be initiated until the user has consented to this processing. An example of a cookie that would meet the ‘strictly necessary’ exemption is one which enables a website to provide shopping cart functionality, or to remember a user’s language preference.
Analytics Cookies & Consent
Analytics cookies are a category that concern the majority of website operators. In the past, many operators have considered these to be ‘strictly necessary’ or within their legitimate interests in order to gain insights into users behaviour on their websites. This is an area where there has been increased clarity provided by authorities over the past year. Let there be no confusion on this – the DPC has stated that analytics cookies require consent.
The DPC guidance notes that first-party analytics (where the website operator carries out the collection and processing of analytics data, or where a third party is contracted by the website operator as a processor for the limited purpose of providing aggregated statistical data), are likely to be less privacy-intrusive to the user and the DPC is unlikely to consider first-party cookies a priority for enforcement. Such a statement does seem to muddy the waters somewhat, however, website operators would be well advised to adhere to the letter of the law alongside the now ample guidance elucidating how to realise those obligations and obtain freely given, specific, informed and unambiguous consent before placing an analytics cookie, whether it be first-party or otherwise.
Individual Purposes, Layered Information & Control
It is not the case that consent needs to be gained for each individual cookie (or similar) that is in use, but rather for the purposes they are used for (e.g. analytics social sharing, remarketing etc.). The DPC recommends (as is consistent with EDPB Guidelines on Transparency) that a layered approach is presented to users, allowing them to opt-in by purpose, with the ability to drill down for more information and granular control of cookies. Users should be able to adjust their preferences subsequent to setting them.
Cookie Consent Management Platforms – Caveat emptor
Consent Management Platforms (CMP), often in the form of a third-party vendor tool, may be used by website operators to provide cookie consent management to website users. The DPC notes that not all CMPs are equal, with some not achieving what they purport to do. In that vein, it is the old adage of ‘let the buyer beware’ that applies. For a CMP to achieve its objective, it must:
- not allow cookies or similar technologies to be placed/processed before the user has given their consent (if consent it required for the particular processing purpose);
- allow users to alter their consent for cookies or similar technologies, subsequent to setting their initial preferences;
- facilitate expiring a user’s consent after a defined period (DPC recommends six months);
- each purpose for processing should be explained, where cookies or similar tracking technologies are used, and users should be able to express their choice regarding each purpose;
- pre-checked boxes and default-enabled sliders do not comply with European law, as clarified by the Planet 49 decision of the Court of Justice of the European Union (CJEU).
- ideally, the CMP should facilitate providing layered information regarding cookies, enabling the user to drill down and receive more granular information as needed;
A common problem Trilateral has seen in our work in this area is that website operators may deploy a CMP tool and assume that they are then compliant. The DPC, in their cookie sweep report, has observed the same phenomenon and notes that these tools do not work on a one-size fits-all basis – they need to be tailored to the needs of the controller. In addition, Trilateral advises that CMP tools should be configured with input from individuals who have the requisite knowledge and experience to configure such tools correctly, accounting for data protection and ePrivacy law. We would also recommend that changes to cookies and similar technologies on web properties are managed through appropriate change management procedures, involving key individuals, and not leaving sole responsibility for these changes with developers.
Further Design Considerations
Website operators should ensure that the design and user experience of the cookie banner and consent management platform meet requirements. This includes ensuring that:
- users are presented with a clear and equal choice with regards to accepting or rejecting cookies – no ‘nudging techniques’ should be used and as such, equal prominence should be given to accept and reject options;
- cookie banners should not obscure access to privacy or cookie policies;
- if the cookie banner links to further information about privacy or cookies, this information should not be obscured by other site features (e.g. chatbots);
- cookie banners should not give a single option such as ‘Accept’, ‘OK’, ‘Got it’ etc. These are not compliant;
- at a minimum, the user should be provided with the option to reject non-necessary cookies;
- where necessary, users are able to give consent to each purpose that cookies or similar tracking technologies are used;
- where a user has not consented to the use of a cookie that results in functionality not being able to be provided (e.g. an embedded video from an external service), consider how to facilitate the user subsequently giving their consent. For example, in the case of embedded videos, allow the user to express their consent at the position where the embedded video would display;
- accessibility should be considered when implementing cookie management and informational interfaces. Users may have difficulties using such interfaces (e.g. those with colour blindness).
When deploying assets or tools from third parties on a website (e.g. plugins providing social sharing functionality), website operators should be clear as to the relationship that they have with those third parties. A data processing agreement should be in place with third parties that sets out the expectations of that relationship, including the instructions which the third party is operating under, in the case that they are acting as a processor. Third parties may process data that is shared with them for their own purposes. In such cases, it is not a controller-processor relationship that exists, but rather, as clarified by the CJEU in the Fashion ID judgement of July 2019, a joint controller relationship may exist, and this can come with associated risks and additional liabilities.
Special Category Data
Trilateral have significant experience with helping our clients navigate compliance with processing related to cookies and similar technologies. We can help with audits of existing practices and work with teams to implement policies and procedures that facilitate compliance going forward. Please feel free to contact our advisors, who would be more than happy to help.
Alan Mac Kenna, Data Protection Technology Advisor at Trilateral Research