Irish provisions on cookies
Data controllers also need to provide data subjects with certain easily accessible, ‘clear and comprehensive’ information on the technology they are using and the purpose for which they are using it.
New Guidance note
In April 2020 and following a sweep conducted between August and December 2019, the Data Protection Commission (DPC) published an updated Guidance note on Cookies and similar technologies.
Hereafter, new regulatory expectations around the use of website cookies are set to include clearer instructions to organisations and further consider the interaction between the GDPR and the ePrivacy Regulations.
The following topics are the key issues clarified in the New Guidance:
An inferring consent from a user navigating through a site and/or using pre-checked boxes (see the decision in Planet 49) does not constitute a freely given, specific, informed and unambiguous consent as required under the GDPR and thus, implied consent and pre-checked boxes are not permitted.
Consent Management Platforms
The use of a CMP (Consent Management Platforms) does not in itself ensure compliance and must be effective. Controllers are responsible for the tools to work in the manner intended and for the buttons on the user interface to be clear and do what they are designated to do. In particular:
- clear cookie consent settings need to be taken into account for their accessibility and to avoid ambivalent red/green choices that may be unclear and disadvantageous to the average user.
- where slides are set ‘on’ by default and the user’s choice to turn these cookies off is not respected, the DPC explicitly indicates this to be a priority for enforcement.
‘Necessary’ or ‘strictly necessary’ exemption
Moreover, it was found that controllers had a poor understanding of the ‘necessary’ or ‘strictly necessary’ exemption. The DPC stressed that the exemption is extremely narrow and can only apply to a service that has been explicitly requested.
Consent is required for analytics cookies, but taking a similar approach to the UK ICO, the DPC considers first party analytics cookies potentially low risk and therefore unlikely to be a priority for any formal action. However, analytics cookies are not exempt and the guidance confirms two types of analytics cookies (first and third party analytics), both of which require consent. Organisations should in any case ensure they have appropriate consents.
Cookie consent should be limited to a timespan of 6 months, after which time it should be refreshed.
Consent is not needed for each individual cookie, but opt-in consent must be obtained for each purpose for which the cookies are set. Subsequently, the bundling consent is not permitted. Taking an ‘all or nothing’ approach and offering an ambiguous selection to accept or reject all cookies does not prove compliance. Further pre-ticked boxes, sliders or other similar tools that automatically set non-essential cookies to “on” by default do not ensure compliance.
With regard to cookie walls, the DPC’s view is that users should not suffer any disadvantage (i.e. blocking access to a website) when they have not consented to cookies, other than to the degree certain website functionality is affected. This is a stricter approach than that applied by other regulators, including the UK ICO which says that data protection rights must be balanced against other rights, including freedom of expression and freedom to conduct a business.
Controllers should take into consideration the implications of the July 2019 Fashion ID judgement of the Court of Justice of the European Union, with respect to potential joint controllership issues on data collected by third-party plugins and social ‘like’ buttons.
Special categories of data
There is a risk that some cookies involve the processing of special category data based on inferences drawn from the nature of the site that a user has visited (e.g. a health insurer’s website). The use of this data should only take place with the user’s explicit consent.
The DPC emphasised the inevitability for controllers to take extra precautions when drafting and updating privacy and cookie policies for which transparency is set as key.
Six months grace period
Organisations are given a six months grace period from the date of publication, 6 April 2020, to bring their cookies practices into compliance and potentially before engaging in any enforcement action under the Data Protection Act 2018. The DPC intends to actively exercise enforcement powers later this year in the case of those websites and apps that do not significantly adjust their cookie consent management processes.