Key Aspects of the Guidance Note
In late 2019, the DPC carried out a cookie sweep of thirty-eight organizations, with a view to understanding current levels of compliance in Ireland.(3) It found significant issues across a range of areas. Some of the issues highlighted included websites setting cookies immediately on the landing page, in many instances for non-necessary cookies. Others misclassified cookies as necessary or strictly necessary, while consent was found to be bundled in many cases. The DPC’s guidance note is intended to ensure greater levels of adherence across Irish organisations. At time of writing, nearly four months of the six-month grace period have already elapsed. Businesses must thus move quickly to align their activities. Some of the key takeaways are outlined below:
1. Organisations must obtain consent to store or set cookies.
2. The rules apply even where cookies do not store personal data. ePrivacy focuses on the confidentiality of all electronic communications. If personal data is stored, the additional
requirements of GDPR apply.
3. Consent must meet GDPR standards, being freely given, specific, informed and unambiguous. It must be as easy for a user to withdraw consent as it was to provide it in the first place.
4. Pre-ticked boxes and bundled consent, where approval is sought for a range of processing activities, are not allowed.
5. Continuing to use a website or scrolling through a landing page do not imply consent. It must be an affirmative action by the consumer such as ticking a box.
6. Default settings on a browser do not constitute affirmative consent.
7. Analytics cookies require consent. However, the guidance states it is unlikely first-party analytics will be considered a priority for enforcement action.
8. Consent must be reaffirmed every six months. It is worth noting a similar view has been taken by the French supervisory authority.
9. Businesses must have clear retention periods for each cookie. Retaining cookie data indefinitely does not meet the GDPR’s requirement for proportionality.
10. The guidelines do not recommend a particular method for obtaining consent. They recognise that website cookie banners are a typical way of achieving this objective.
11. Companies should avoid using language or interfaces that nudge the user to accept cookies.
12. The Commission recommends having both a cookie policy and a privacy policy, as these meet the requirements of ePrivacy and GDPR respectively.
13. The guidelines apply to other tracking technologies as well as cookies. For example, pixel trackers, like buttons and social sharing tools.
14. Companies must be aware of any data shared with third parties, for example through social tools, and put in place data processing agreements where necessary.
15. Finally, every effort should be made to present cookie banner information in a clear and accessible manner