ICQ Log - Data Protection & Information Security:

Website Cookies: Countdown to Compliance 

Last Updated: 08 September 2020

Author: Steven Roberts is Head of Marketing at Griffith College, a Certified Data Protection Officer and a member of the Data Protection & Information Security Working Group. In the article Steven looks at the implications for businesses and the steps required to ensure compliance before the grace period ends on 5th October 2020.

Introduction
The Data Protection Commission (DPC) is most familiar to compliance professionals for its role in overseeing the implementation of the General Data Protection Regulation. However, the DPC’s remit extends beyond GDPR. It is also the national authority responsible for enforcement of the laws on ePrivacy. These include the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) and the Irish ePrivacy Regulations, implemented by Statutory Instrument (S.I.) No. 336 of 2011. One of the most high-profile aspects of this legislation relates to website cookies. ⁽¹⁾ On 6th April, the DPC issued its Guidance Note: Cookies and other tracking technologies, outlining what the Commission considers best practice. ⁽²⁾ In this short article, we will look at the implications for businesses and the steps required 
to ensure compliance before the grace period ends on 5th October 2020.

The Broader Context
Before discussing the guidance note itself, it is useful to understand the broader context within which it was issued. Under EU plans for a Digital Single Market, GDPR was intended to be one part of a suite of laws providing citizens and businesses with a harmonised data protection environment. Another key pillar is the 
ePrivacy Regulation (ePR). Known as a lex specialis, this legislation is separate to, but complements, the GDPR. The rules under ePrivacy apply first when considering an organisation’s use of cookies and tracking technologies. 

The digital economy has progressed rapidly over the past two decades and the current ePrivacy Directive has become outdated. Legal and compliance professionals have struggled to align some aspects of the Directive with the GDPR, particularly regarding what constitutes valid consent to activate cookies.
Originally intended for introduction alongside GDPR in 2018, ePR has been repeatedly delayed due to disagreements between EU countries and substantial lobbying from industry. At present, it is unclear if or when the Regulation will come into effect.

Inconsistent Application
The delay in introducing the ePrivacy Regulation has caused problems for businesses. In its absence, individual European countries have issued guidance on website cookie best practice. Often, this has resulted in subtle but significant differences of interpretation. In Britain and Spain, for example, consent must be given before a site activates analytics cookies. The Spanish authority, meanwhile, recognises continuing to scroll or clicking a link on a web page as constituting consent. Britain, France and Germany, however, do not view the continued use of a website as meeting this requirement. As a result, companies with a multinational European presence must take local advice for each country in which they operate.

Key Aspects of the Guidance Note
In late 2019, the DPC carried out a cookie sweep of thirty-eight organizations, with a view to understanding current levels of compliance in Ireland.(3) It found significant issues across a range of areas. Some of the issues highlighted included websites setting cookies immediately on the landing page, in many instances for non-necessary cookies. Others misclassified cookies as necessary or strictly necessary, while consent was found to be bundled in many cases. The DPC’s guidance note is intended to ensure greater levels of adherence across Irish organisations. At time of writing, nearly four months of the six-month grace period have already elapsed. Businesses must thus move quickly to align their activities. Some of the key takeaways are outlined below:

1. Organisations must obtain consent to store or set cookies.
2. The rules apply even where cookies do not store personal data. ePrivacy focuses on the confidentiality of all electronic communications. If personal data is stored, the additional 
requirements of GDPR apply.

3. Consent must meet GDPR standards, being freely given, specific, informed and unambiguous. It must be as easy for a user to withdraw consent as it was to provide it in the first place.
4. Pre-ticked boxes and bundled consent, where approval is sought for a range of processing activities, are not allowed.
5. Continuing to use a website or scrolling through a landing page do not imply consent. It must be an affirmative action by the consumer such as ticking a box. 
6. Default settings on a browser do not constitute affirmative consent. 
7. Analytics cookies require consent. However, the guidance states it is unlikely first-party analytics will be considered a priority for enforcement action.
8. Consent must be reaffirmed every six months. It is worth noting a similar view has been taken by the French supervisory authority.

9. Businesses must have clear retention periods for each cookie. Retaining cookie data indefinitely does not meet the GDPR’s requirement for proportionality.

10. The guidelines do not recommend a particular method for obtaining consent. They recognise that website cookie banners are a typical way of achieving this objective.
11. Companies should avoid using language or interfaces that nudge the user to accept cookies.
12. The Commission recommends having both a cookie policy and a privacy policy, as these meet the requirements of ePrivacy and GDPR respectively.
13. The guidelines apply to other tracking technologies as well as cookies. For example, pixel trackers, like buttons and social sharing tools. 
14. Companies must be aware of any data shared with third parties, for example through social tools, and put in place data processing agreements where necessary. 
15. Finally, every effort should be made to present cookie banner information in a clear and accessible manner

Exemptions
There are two exemptions to the requirement to obtain consent from a website user. The first is known as the communications exemption. This applies to cookies whose sole purpose is for ‘carrying out the transmission of a communication over a network’. The DPC gives an example of a load-balancing cookie used to distribute network 
traffic across different servers. The second exemption is for cookies deemed strictly necessary. To meet this criterion, the service must be delivered over the internet, have been explicitly requested by the user, and be restricted to 
only what is strictly necessary to provide the service. Cookies relating to advertising and website chatbots are two examples where explicit consent must always be provided before deployment. 

Implications for Irish Businesses
The implications for Irish businesses are considerable and extend beyond meeting the DPC’s list of requirements. For marketing and sales teams, the need to receive consent before deploying analytics cookies will effectively set a new baseline for their website metrics. A significant number of users are unlikely to opt-in, making it difficult 
to accurately compare year-on year performance across the site. Customer service departments relying on website chatbots to deal with consumer queries must assess how to cater to customers who choose not to opt-in to this function. Many companies will need to implement a consent management platform (CMP) if one is not already in place. It will not be feasible to manually oversee aspects such as the requirement to reaffirm 
consent every six-months. Lastly, any firms still relying on pre-ticked forms of consent must amend their 
practices soonest. Compliance officers will need to consult widely across the business to ensure key 
departments and stakeholders are aware of the upcoming changes, and to minimise the potential impact on day-to-day operations.

Conclusion
The DPC’s note provides welcome guidance for Irish businesses. However, the short grace period will see many firms having to move rapidly in order to ensure they are compliant on or before 5th October. This must be given high priority by compliance professionals in their plans for Q3 and Q4 of 2020. At a broader level, the goal for a harmonised European-wide approach to website cookies remains an unfulfilled ambition. This will persist until a new ePrivacy Regulation is approved and implemented. For Irish businesses with an online presence across EU countries, it adds further complexity as they seek to meet DPC requirements whilst also complying with local best practice in other European jurisdictions. 

Authors: Steven Roberts

Head of Marketing | Board Director | Author

References 

¹ Cookies are small text files stored on a PC, mobile or other device. They allow a website to remember details such as a user’s previous interactions on the site. Information stored can include personal and non-personal data.

²
  https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf

³
 https://dataprotection.ie/en/news-media/publications/report-dpc-use-cookies-and-other-tracking-technologies

< Back to all Log Posts

ICQ Autumn Edition 2020

This article was taken from the Compliance Institute's ICQ Autumn Edition 2020