If you have browsed through the internet recently, you may have noticed more notifications about selecting cookie options on various websites. Here’s the reason why:
Six months ago, Ireland’s Data Protection Commission (DPC) published a report showing its findings following a random cookie “sweep” of a select number of websites across a broad range of sectors in the economy. Following the sweep conducted, the DPC found that
- 26% of the websites that responded to the sweep were found to have pre-checked boxes to acquire consent from users.
- About two-thirds of data controllers were relying on a model of ‘implied consent’ to set cookies.
This includes statements such as “by continuing to browse this site you consent to the use of cookies”, which does not comply with the Cookies or e-Privacy laws.
Based on the findings of the report, the DPC issued new guidance and regulations regarding Cookies, e-Privacy and customer information, which gave websites a deadline of 5th October to get their cookies policy up to scratch with the relevant laws and regulations in Ireland. Websites that fail to comply with the new regulations will be subject to severe financial penalties from DPC.
What are Cookies anyway?
According to DPC’s guidance report;
“Cookies are small text files stored on devices, such as computers, mobile or any other device that can store information. Generally, Cookies allow websites to track user behaviour in some manner or means. It serves a number of important functions, such as keeping track of items in an online shopping cart, or helping web pages to load faster.”
With the enforcement of the new regulations, people should have a lot more privacy options to choose from when browsing online.
Legal Framework
According to the DPC; ‘The purpose of the law on cookies is to protect individuals from having information placed on their devices, or accessed on their devices, without their consent, that may interfere with the confidentiality of their communications.’
Currently, there are two legal frameworks applicable to the use of Cookies: the e-Privacy Regulations (SI No. 336 of 2011) (e-Privacy Regulations) and the General Data Protection Regulation (GDPR).
Under the e-Privacy Regulations, Cookies can only be used where a website user:
- Consents to the use of Cookies (unless an exemption applies); and
- has been provided with clear and comprehensive information which: (a) is prominently displayed; and (b) includes, without limitation, the purposes of the processing of the information (e.g. Cookies banner).
The GDPR must also be applied where Cookies involve the processing of personal data relating to users and, in that event, the standard of consent required is the GDPR standard.
Below are some of the Key Points from the DPC’s Guidance:
- Clarity on what ‘type’ of cookies require consent (First party v Third-party cookies)
- Consent should be provided for different categories of cookie separately.
- The user must easily be able to withdraw consent or change permissions for Cookies.
- Consent cannot be bundled – One consent for multiple purposes is NOT acceptable.
- Pre-checked boxes/sliders and implied consent are a NO.
- Consent expires after 6 months for non-exempt Cookies.
- Clarification on “clear and comprehensive information.”
- Minimum/Detailed Information in Cookie banners regarding Cookie use.
If you want to read about the new regulations more in detail, here’s a link to the guidance notes on cookies & other technologies published by the DPC, and a link to an article written by solicitors at William Fry on the grace period for cookie compliance.
Click here to view the full legislation
Next Steps
Going forward, websites/apps will need to implement a mechanism to obtain consent to cookies. This can be done using a cookie consent management tool, which turns off all non-vital cookies by default. Your website needs to allow the user to accept or reject the setting without promoting one option over the other and it must give the user the ability to manage their consent options.
Please contact IMS Marketing or get in touch with your respective Client Manager if you wish to bring your website in line with the new Cookie & e-Privacy Regulations, effective 5th October 2020.