On 6 April 2020, updated guidance on cookie compliance for Irish websites was released by the Irish Data Protection Commission (the DPC).

The guidance was produced following an investigation undertaken by the DPC into the levels of compliance with privacy and data protection laws relating to cookies and tracking technologies by a range of Irish companies.

In accordance with the new guidance, Irish companies have until 6 October 2020 to ensure their cookie policies are brought in line with regulations, and a failure to do so may result in enforcement action from the DPC and financial penalties.

What are Cookies?

Cookies are small text files stored on a device such as a PC or a mobile device or any other device that can store information. The main function of cookies on a website is to recognise a particular user and the user’s previous interaction with the website. The information stored in cookies may include personal data, such as an IP address, a username, or an email address.

These functions can be very useful, or even necessary for a website to operate in an accessible way. Essential cookies are those which are absolutely necessary to allow a website to deliver its service. Essential cookies do not require consent, however, they must be “strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”. Examples of the functions of essential cookies are to keep track of items in shopping carts or keep users logged in as they navigate a site securely through to purchase of an item.

Non-essential cookies, conversely, are any cookies which fall outside of what is strictly necessary for a website to deliver a service to users. Examples of non-essential cookies include collecting site stats and information on users for the purpose of marketing or analytics. Consent must be obtained for all non-essential cookies.

The Legislation

Regulation 5 of the European Communities (Electronic Communities Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011) (the ePrivacy Regulations) is the relevant legislation regulating the use of cookies. The Regulations exist in addition to, and complement, the General Data Protection Regulation (GDPR).

As per the ePrivacy Regulations, a website must disclose specifically how cookies will be used and provide clear and comprehensive information to inform a user’s decision to consent. The DPC’s investigation revealed that the majority of Irish companies are not providing sufficient information to their users regarding the use of cookies, and a general consent to cookies does not amount to specific consent for uses such as personal data being used by advertising platforms for marketing campaigns.

Consent

Although essential cookies do not require consent, this exemption is narrowly interpreted and must be carefully availed of. The DPC reported that a number of companies in the investigation undertaken had incorrectly identified cookies as essential and as a result had misapplied this exemption.

With regard to non-essential cookies which require consent, Irish companies should not allow any of these to operate on their websites until after a user has given explicit and informed consent. A user’s consent can no longer be implied, and the consent obtained must be in line with the standard for consent under GDPR, being freely given consent by way of a clear affirmative act, which is specific, informed and unambiguous.

How can I be Compliant?

Cookie consent pop-ups are cookie warnings that pop up on websites when a user visits the site for the first time. They are widely used as a means of complying with GDPR and the Regulations. The function of a cookie pop-up is simply to declare what cookies and trackers are present on a website and give users a choice of consent before their data is processed.

Typically, there is a first and a second layer of information provided by a cookie pop-up. The first layer is the initial cookie warning advising that user consent is required. A link or means of access should be provided to the second layer, which should contain further detail in relation to cookies policy, privacy notice and cookies management functionality.

Cookie pop-ups should include features to allow users to accept, reject or manage cookies. While a cookie pop-up is not required to include on its face a “Reject All” option, cookie pop-ups that only give the user the option to click “Accept” are non-compliant. Equal emphasis should be given to whatever options are provided on the cookie pop-up, and cookie consent settings should be easily manageable and changeable at all times.

Consent Management Platforms

A consent management platform (CMP) can be an extremely useful tool in ensuring compliance with the Regulations and GDPR. A CMP is a platform which enables a company to automate the cookie consent management process on its website, thereby ensuring consistent compliance with the regulations.

CMPs can be developed in-house or sourced externally. It is important to note that while sourcing a CMP externally may seem like the most straightforward option, all cookie pop-ups must be compliant both with GDPR at a European level, and the Regulations at a local level.

Conclusion

For most Irish companies who operate online, the task of ensuring compliance with the guidance and the Regulations prior to 6 October 2020 will simply require an update to the cookie message which appears on their website.

Implied consent, over simplified cookie messages, pre-ticked options, or poor information on the use of cookies and their purposes may lead to companies being investigated and fined by the DPC. This is particularly relevant now as a willingness by authorities to investigate breaches of privacy regulations and impose fines is an emerging trend across Europe.

This trend, in tandem with the recent decision by the DPC to fine Tusla €75,000 for breaches of GDPR, gives credence to the stated intention of the DPC to actively exercise enforcement powers later this year in the case of those websites and apps that do not significantly adjust their cookie consent management processes.