Public authorities, businesses and other organisations operating in Ireland need to bring their cookie processing into compliance with the latest DPC Guidance, since the DPC is planning to begin enforcing cookie compliance from October 2020. This piece identifies five key items that website operators should be paying attention to in order to ensure that they meet the DPCs expectations.
1 – Consent is required
Consent must be gained for any storage of or access to information on users’ devices. There are only two very narrow exemptions to this requirement – where the cookie is necessary to facilitate communication with the user (most website operators will be unable to avail of this), or where the cookie is strictly necessary for the provision of a service to the user. The second exemption is the one where website operators are more likely to fall into, but again, only for very narrow processing purposes. For example, to provide shopping cart functionality or remember a user’s language preference. Other types of processing that requires cookies and are purely functional – e.g., providing chatbot functionality, or embedding videos or social widgets, would not be considered strictly necessary, and as such, consent must be gained for using these.
2 – Understand that requirements cover more than cookies and personal data
The legal requirements apply to cookies and ‘similar technologies’. ‘Similar technologies’ that would come within scope include pixel trackers, browser finger printing, and the use of local storage, among others. There is no exhaustive list, as the requirement attempts to be agnostic by specifying similar technologies, in addition to cookies themselves. The ePrivacy Regulations, from which the cookie requirements are drawn, require that consent should be gained for any access to information stored in the terminal equipment of a subscriber or user, or to store any information on the person’s device. Close attention should be paid to the fact that information is broader than just personal data, which is often a source of confusion for businesses looking at these requirements. Website operators should consider if their processing falls under this broad scope – beyond the basic use of cookies that are placed as text files on a user’s computer, and not limited to solely personal data.
3 – No pre-checked boxes
Website operators should understand that consent is only valid if it is freely given, informed, specific to the purpose it is gained for, and an unambiguous indication of the user’s wishes. Consent will not be valid if check boxes, sliders, or other tools are set to ‘ON’ or ☑ by default. There has been precedent set on this topic in the courts, and ample guidance issued by data protection authorities. Website operators should be transparent about who is collecting the information and the purpose the cookie is required.
4 – Control over processing purposes
It is most important that users are given control over the individual processing purposes (or reasons) that cookies are in use. For example, a website may be using cookies for reasons such as: Analytics, Video Embeds & Customer Support. There may be multiple cookies in use under each category, but a user can express their consent to the top-level reason that a cookie is needed. Following a layered, approach to transparency, a user should ideally be able to request more information about the individual cookies required under each purpose, and be able to exercise more fine-grained control of these cookies, should they wish.
5 – Users’ choices should have a real effect
A problem that we see frequently is that while a Consent Management Platform (CMP) may have been implemented to provide users control over cookies, often what is happing under the hood does not reflect what the user is choosing. For example, in some cases analytics cookies have been placed on a device automatically; before the user makes a choice about consent or despite a user choosing not to give their consent. If a user’s choices that they express via the CMP are not being respected, the CMP is not operating correctly or effectively. In such cases, valid consent is not being gained and unlawful processing is occurring. Website operators should validate that the CMP configuration is being respected.
Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations and their digital partners to ensure that their cookie processing meets both legal requirements and best practice. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate compliant cookie processing. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.
