- 30 September 2020
- Posted by: Jonathan Mills
- Categories: Commercial Law, Commercial Litigation, Commercial Litigation, Data Protection, GDPR, Intellectual Property
That’s the way the cookie crumbles
• Session cookies – used only when a person is actively navigating a website; once you leave the site, the session cookie disappears.
• Tracking cookies – used to create long-term records of multiple visits to the same site.
• Authentication cookies – used to track whether a user is logged in, and if so, under what name.
DPC Review of compliance with cookies
The DPC’s report, published 6 April 2020, identified a significant lack of compliance with Privacy laws by a number of websites and apps operating on the Irish market. Overall, the DPC’s sweep of 38 websites and apps revealed widespread deficiencies and stated that this “suggests a more systemic issue that must be tackled firstly with the publication of new guidance, followed by possible enforcement action where controllers fail to voluntarily bring themselves into compliance.” The DPC provided a six-month grace period from that date, which expires October 05th before it considers taking enforcement measures.
DPCs Key Requirements
The DPC’s key requirements under its cookies guidance are:-
User consent must be obtained before any non-necessary cookies are stored on or accessed from a user’s device. This consent must meet the high standards for consent under the GDPR and this applies even if a cookie does not involve the processing of personal data. Operators can no longer imply a user’s consent. It is not necessary to obtain consent individually for each cookie. Instead, it should be obtained for each purpose for which cookies are used. Additionally, six months is the appropriate time limit for consent to be retained after which time the user must be prompted to give their consent again.
2. Are they ‘Strictly Necessary’
Cookies which are “strictly necessary in order to provide an information society service explicitly requested by the subscriber or user” do not require consent. However, this is a narrow exemption that must be carefully applied. Analytics cookies do not benefit from this exemption and thus require GDPR standard consent.
In order to determine which cookies require consent, it is necessary to know exactly what cookies are used and why they are used. A common mistake by Irish operators has been to treat their cookies policy as a static document. Operators must maintain effective controls that monitor their platform for new cookies, update their consent framework to reflect these and delete cookies that are no longer needed.
4. Cookie Banners or Pop-Ups
6. Third Party Cookies
Where a platform uses third-party cookies, both the operator and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. The DPC’s guidance reminds operators that using third party ‘like’ buttons, plugins or widgets, pixel trackers or social media-sharing tools may result in the website operator and the owner of these third-party assets being ‘joint controllers’ for the purpose of Article 26 of the GDPR. Operators must assess the possible joint controller issues arising from the use of third-party assets and plugins, and ensure this is reflected in their cookies consent framework.
7. Consent Management Platforms (CMPs)
Users must be able to withdraw or vary their consent as easily as they gave it. In practice, the DPC supports the use of website controls that allow users to choose what cookies are set and to change these choices at any time. It is very important when using third-party CMP’s to ensure that the settings reflect local privacy laws and guidance. The DPC highlighted that CMPs will be a “priority for enforcement”.
Reddy Charlton’s Recommendation
The DPC has put all operators on notice of their requirements and additionally their clear intent to enforce such standards and requirements. Operators would be well advised to review comprehensively their cookies in advance of 5 October and set reminders to update and assess their compliance on a regular basis.
How can Reddy Charlton help?
Reddy Charlton Solicitors advise clients on data protection, transfer and processing matters, having considerable experience and a number of experts in the area. If you have any queries or seek further information on Data Protection, Data Privacy any other area of commercial law, please contact Elaine McGrath at email@example.com or Jonathan Mills at firstname.lastname@example.org.