The DPC states in the Guidance that it would allow a period of six months from its publication (i.e. 6 October 2020) for data controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.
Additionally, where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and other tracking technologies that may be used to target or profile individuals, this will constitute personal data and its processing is also subject to the rules set out in the General Data Protection Regulation ("GDPR").
Overview of the Guidance
The DPC notes in the Guidance that the purpose of the law on cookies is "to protect individuals from having information placed on their devices, or accessed on their devices, without their consent, that may interfere with the confidentiality of their communications."
The Guidance states that an individual's consent for the setting of cookies, including analytics cookies, must be a "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". This is noted as being the same standard of consent as required by the GDPR. Consent is required for the setting of cookies whether the cookies contain personal data or not.
These clarifications and further guidance by the DPC provide data controllers with clarity on how to appropriately and adequately obtain consent when using cookies.
The Guidance highlights that certain limited exemptions from the requirement for consent under the ePrivacy Regulations do exist.
Withdrawal of Consent
In addition to the requirement that data controllers must provide "clear and comprehensive" information as to how cookies are being used, users must also be informed of their right to withdraw their consent to the setting of cookies at any time and the means by which they may withdraw their consent.
Practical issues around obtaining Consent
The Guidance is clear that reliance upon implied consent to the setting of cookies or the use of pre-checked boxes is not permitted. Furthermore, relying on a user's browser setting to infer consent to the setting of cookies is generally prohibited.
Those cookies should have a lifespan proportionate to their purpose and use.
Steps to take
1. Review current uses of cookies and similar tracking technologies;
2. Review existing privacy and cookie policies to ensure they are up to date and that they reflect current practices;
3. Review user interface on your website to ensure it is line with the Guidance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.