Following a sweep of 40 websites, the Irish Data Protection Commission (DPC) has published a report on the use of cookies and other tracking technologies. The sweep assessed the cookie and tracking practices of website operators against the relevant ePrivacy Regulation (S.I. 336/2011 in Ireland) and, where applicable, the consent standard as defined in the General Data Protection Regulation (GDPR).
Numerous shortcomings were found, on the back of which the Commission has given a six-month period for website operators to bring their processing practices into compliance as they relate to cookies and similar technologies. They have also released updated guidance on how to comply with the various requirements.
Main Findings
The following are the main findings of the cookie sweep report:
- In many instances, cookies are being set when a user initially lands on a website, without giving the user an opportunity to control their use prior to processing (this was the case in all but one website included in the sweep exercise);
- Cookies are often miscategorised as ‘strictly necessary’. In practice this exemption will only apply in limited instances. Analytics cookies, for example, cannot be considered as strictly necessary;
- Other methods that enable user tracking, such as pixel trackers (e.g., Facebook Pixel) or device fingerprinting, need to be treated in the same way as cookies. Some controllers did not report this type of processing to the DPC, either because they were not aware they were using it, or because they did not realise that this type of processing was in scope;
- Over a quarter of the respondents were found to have pre-checked boxes to consent to cookies. This is not a valid practice and website operators should bring their interfaces into compliance;
- There are many instances of cookie banners offering no choice other than ‘Accept’ or similar affirmative action. These do not reach the bar for gaining informed, unambiguous, freely-given consent;
- Relying on implied consent to cookies (e.g., the user continuing to browse or scroll the website) or relying on browser settings to infer consent is not valid;
- In some cases, Consent Management Platforms (CMP) were used that had no effective control over the placement of cookies on the website;
- The user interfaces provided by CMPs were often not adequate to provide enough information or control over cookies and tracking technologies, with some employing nudging techniques to encourage users to make one choice over another;
- Many CMPs do not consider designing for accessibility, presenting problems for users who have difficulty navigating (e.g. for those who have colour blindness);
- Where consent is gained, websites are often processing based on this consent for longer periods than the DPC would recommend. Setting an expiration period on cookies with an outer limit of six months for maintaining a user’s consent is preferable.
The DPC noted that most all the sites reviewed had compliance issues ranging from minor to serious. More than a quarter were given a ‘Red Rating’ in the report, based on the poor quality of the responses submitted to the Commission and the bad practice regarding cookie processing observed on the assessed websites. Restaurant and food-ordering sectors came in for particular criticism, while media and publishing as well as banking and finance sectors were noted to have high amounts of third party-trackers.
Health-related websites present a clear case for concern where data relating to users is shared with third parties. The DPC observed this to be the case with some of the websites in scope of its review, one being a public-sector organisation. There is a risk that third parties, such as Facebook, would be able to build up profiles of users containing sensitive data points inferred from their visits to such health-related sites. This data is considered special category data under the GDPR and would require explicit consent to share.
Context
While there is a new ePrivacy Regulation working its way through the legislative process, it has suffered repeated delays. The assessment performed by the DPC during this cookie sweep exercise and its subsequent updated guidance are firmly based in current law. Controllers, who are not compliant with its provisions now risk action being taken by the DPC, who have expressed their clear intention to pursue such actions.
The DPC has given a six-month period to bring websites into compliance, after which action, up to and including enforcement action will be considered. They have signalled their intentions to use the investigative powers and tools of the GDPR and the Irish Data Protection Act 2018 that are available, including the use of inquiries (with or without an investigation), inspections or audits to examine all aspects of a controller’s processing of personal data. This could result in an observation of non-compliance with regards to cookie processing resulting in broader investigations, investigating compliance with transparency, accountability and security of processing operations. You can read more about the DPC’s latest cookie guidance, along with our analysis here.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience helping our clients navigate compliance with processing related to cookies and similar technologies. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate compliance cookie processing. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.
