That’s the way the cookie crumbles

Compliant use of Cookies – a warning!

In this article Elaine McGrath explores the use of cookies, reminds readers of the Data Protection Commissioner’s (the “DPC’s”) report into compliant use of cookies and warns that the DPC’s six month grace period to correct issues of compliance expires on 5 October.

Background
Our online browsing, shopping or networking is regularly interrupted by the service provider asking us to accept their ‘cookie policy’. The vast majority of users will accept whatever the policy is without ever reading it, much less understanding it. A very small minority will review such a policy and then make an informed decision on whether to accept the ‘cookies’ or not. From a service provider’s perspective, cookies are a very valuable tool that essentially helps the website keep track of your visit and activity and generally make the interaction flow more seamlessly. There are different types of cookies –

• Session cookies – used only when a person is actively navigating a website; once you leave the site, the session cookie disappears.
• Tracking cookies – used to create long-term records of multiple visits to the same site.
• Authentication cookies – used to track whether a user is logged in, and if so, under what name.

DPC Review of compliance with cookies
In 2019, the Data Protection Commission (DPC) undertook an examination of cross-sector levels of compliance with Irish privacy and data protection laws when deploying cookies and other tracking technologies through websites and applications. This review was to assess whether GDPR standard consent is being obtained for the use of cookies and other tracking technologies, and to use these findings to develop updated cookies guidance.
The DPC’s report, published 6 April 2020, identified a significant lack of compliance with Privacy laws by a number of websites and apps operating on the Irish market. Overall, the DPC’s sweep of 38 websites and apps revealed widespread deficiencies and stated that this “suggests a more systemic issue that must be tackled firstly with the publication of new guidance, followed by possible enforcement action where controllers fail to voluntarily bring themselves into compliance.” The DPC provided a six-month grace period from that date, which expires October 05th before it considers taking enforcement measures.

DPCs Key Requirements
The DPC’s key requirements under its cookies guidance are:-

1. Consent
User consent must be obtained before any non-necessary cookies are stored on or accessed from a user’s device. This consent must meet the high standards for consent under the GDPR and this applies even if a cookie does not involve the processing of personal data. Operators can no longer imply a user’s consent. It is not necessary to obtain consent individually for each cookie. Instead, it should be obtained for each purpose for which cookies are used. Additionally, six months is the appropriate time limit for consent to be retained after which time the user must be prompted to give their consent again.

2. Are they ‘Strictly Necessary’
Cookies which are “strictly necessary in order to provide an information society service explicitly requested by the subscriber or user” do not require consent. However, this is a narrow exemption that must be carefully applied. Analytics cookies do not benefit from this exemption and thus require GDPR standard consent.

3. Inventory
In order to determine which cookies require consent, it is necessary to know exactly what cookies are used and why they are used. A common mistake by Irish operators has been to treat their cookies policy as a static document. Operators must maintain effective controls that monitor their platform for new cookies, update their consent framework to reflect these and delete cookies that are no longer needed.

4. Cookie Banners or Pop-Ups
Consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices. The DPC considers layered consent to be good practice. This is a common approach whereby a concise cookie banner or pop-up is displayed when a user lands on a website and which provides the first layer of information about the use of cookies. This should also include, as a second layer, a pathway to further information. Cookie banners and pop-ups can include features to allow users to accept, reject or manage cookies. However, a banner that only gives the user the option to click ‘accept’ to say yes to cookies and which provides no other option is not compliant. Further, the banner must not obscure any privacy notice or cookie policy.

5. Transparency
Users must be given clear and comprehensive information in accordance with Irish data protection legislation about the use of cookies. This requirement applies even if a cookie does not involve the processing of personal data. The DPC’s guidance highlights that accessibility for those with vision or reading impairments should be considered when designing user interfaces.

6. Third Party Cookies
Where a platform uses third-party cookies, both the operator and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. The DPC’s guidance reminds operators that using third party ‘like’ buttons, plugins or widgets, pixel trackers or social media-sharing tools may result in the website operator and the owner of these third-party assets being ‘joint controllers’ for the purpose of Article 26 of the GDPR. Operators must assess the possible joint controller issues arising from the use of third-party assets and plugins, and ensure this is reflected in their cookies consent framework.

7. Consent Management Platforms (CMPs)
Users must be able to withdraw or vary their consent as easily as they gave it. In practice, the DPC supports the use of website controls that allow users to choose what cookies are set and to change these choices at any time. It is very important when using third-party CMP’s to ensure that the settings reflect local privacy laws and guidance. The DPC highlighted that CMPs will be a “priority for enforcement”.

Reddy Charlton’s Recommendation
The DPC has put all operators on notice of their requirements and additionally their clear intent to enforce such standards and requirements. Operators would be well advised to review comprehensively their cookies in advance of 5 October and set reminders to update and assess their compliance on a regular basis.

How can Reddy Charlton help?
Reddy Charlton Solicitors advise clients on data protection, transfer and processing matters, having considerable experience and a number of experts in the area. If you have any queries or seek further information on Data Protection, Data Privacy any other area of commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie