Ireland: Data Protection Commission Issues Guidance On Cookies

Executive Summary

In April 2020 the Data Protection Commission ("DPC") issued a guidance note on the use of cookies by data controllers (the "Guidance"). The Guidance was accompanied by a report which detailed the DPC's findings from its examination of the use of cookies and similar technologies by a selection of website operators from a range of different industry sectors, including some in the financial services sector (the "Report"). The purpose of this examination was to determine how, and whether, organisations are complying with the law in this area.

The Guidance is largely borne out of the deficiencies identified by the DPC in the Report. The Guidance clarifies the law applicable to the use of cookies and similar technologies and, amongst other things, explains the requirements around consent (including how it should be obtained in practice), the use of cookies and the extent to which their use may be exempt from the requirement to obtain consent.

The DPC states in the Guidance that it would allow a period of six months from its publication (i.e. 6 October 2020) for data controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

With this deadline fast approaching, data controllers should review their use of cookies and similar technologies now to ensure that they are in compliance with their legal obligations in advance of 6 October 2020.

Background

The legal regime that currently applies to the use of cookies is the ePrivacy Directive 2002 (as amended) and the ePrivacy Regulations 2011 (which transpose the ePrivacy Directive 2002 into Irish law) (the "ePrivacy Regulations").

Additionally, where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and other tracking technologies that may be used to target or profile individuals, this will constitute personal data and its processing is also subject to the rules set out in the General Data Protection Regulation ("GDPR").

Overview of the Guidance

Consent

The DPC notes in the Guidance that the purpose of the law on cookies is "to protect individuals from having information placed on their devices, or accessed on their devices, without their consent, that may interfere with the confidentiality of their communications."

The Guidance states that an individual's consent for the setting of cookies, including analytics cookies, must be a "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". This is noted as being the same standard of consent as required by the GDPR. Consent is required for the setting of cookies whether the cookies contain personal data or not.

The DPC also notes that consent may not be "bundled" for multiple purposes and that website operators "are not permitted to use pre-checked boxes, sliders or other tools set to 'ON' by default to signal a user's consent to the setting or use of cookies."In particular, explicit consent must be obtained for the use of cookies involves the processing of personal data.

These clarifications and further guidance by the DPC provide data controllers with clarity on how to appropriately and adequately obtain consent when using cookies.

The Guidance highlights that certain limited exemptions from the requirement for consent under the ePrivacy Regulations do exist.

Withdrawal of Consent

In addition to the requirement that data controllers must provide "clear and comprehensive" information as to how cookies are being used, users must also be informed of their right to withdraw their consent to the setting of cookies at any time and the means by which they may withdraw their consent.

Practical issues around obtaining Consent

The Guidance is clear that reliance upon implied consent to the setting of cookies or the use of pre-checked boxes is not permitted. Furthermore, relying on a user's browser setting to infer consent to the setting of cookies is generally prohibited.

The DPC recommends that a website operator's request for consent, which is typically done by means of a cookie website banner, should be accompanied by an option to reject cookies and links to the cookies policy and privacy policy containing further information on the use and purpose of the cookies.

Those cookies should have a lifespan proportionate to their purpose and use.

Steps to take

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.