DPC's Guidance on Cookies, Consent and Compliance by 6 October 2020
Wednesday, 19 August 2020In October 2019, we provided an update on the EU Court of Justice’s Planet49 decision and highlighted the main data processing implications for Irish organisations that use cookies and how the requirements of valid cookie consent under the ePrivacy Directive 2002/58/EC have evolved since the advent of the General Data Protection Regulation (“GDPR”).
Further to the Planet49 decision, in April 2020, the Data Protection Commission (“DPC”) released substantive guidance on cookies and other trackers, and stated its intention to enforce such guidance, with important implications for all Irish organisations that use cookies and similar technologies on their websites. Organisations were given a grace period to comply with the guidance, which expires on 6 October 2020.
Context of the DPC’s Guidance - the cookies “sweep”
Regulation of the use of cookies by all sectors is a current area of focus for the DPC. In April this year, the DPC issued a Guidance Note: Cookies and other tracking technologies(“Guidance”) following its earlier 2019 cookies ‘sweep’ survey - a compliance investigation conducted between August and December 2019 to monitor the websites of 38 Irish data controllers across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.
The sweep monitored controllers’ compliance with both the GDPR and the ePrivacy Directive (implemented in Ireland by the ePrivacy Regulations (S.I. No. 336/2011)). In particular, the sweep sought to establish what types of cookies are placed on the browsing equipment of users of the controllers’ websites; whether users' GDPR-compliant consent is gained in order to place such cookies and whether the controllers provide users with the appropriate information prior to placing cookies on their browsing equipment.
The DPC classified each controller’s level of compliance using a “red, amber and green” coding system. Of the 38 respondents, only 2 organisations received a full “green” rating (indicating substantial compliance), with the majority of controllers found to have potential compliance issues in relation to the legal and regulatory requirements.
What are the key points in the Guidance?
The DPC issued the Guidance to serve as a starting point for Irish controllers to assess their own compliance with the law on cookies and similar tracking technologies. In addition to cookies consent requirements on which we have previously commented, we have set out a number of key points raised in the DPC’s Guidance below:
- Cookie lifespan: the DPC stressed that the expiry date of any cookie should always be proportionate to its purpose. For instance, a cookie required for remembering information in a user’s online shopping cart should not have an indefinite expiry date and should be set to expire once it has served its function (or very shortly afterwards).
- Periodic renewal of consent: For controllers who keep a record of users’ consent to the use of cookies, the DPC considers the appropriate length of time after which this consent should then be re-obtained should be no longer than six months after they have recorded the users’ last consent status. Equally, where users initially declined to give consent, their consent to cookies could be sought again at this time. The six month period is, in the DPC’s view, the outer timeframe for storing a user’s consent status and storage of a record of valid consent for a longer period would need to be justified on a case-by-case basis. Since publication of the Guidance, the European Data Protection Board, has issued updated guidelines on valid consent, that clarify that websites that block access to content until a user accepts cookies, so called “cookie walls”, do not present the user with a genuine choice and are not therefore compliant.
- Consent Management Platforms: The DPC acknowledged the use of consent management platforms (“CMPs”) i.e. systems provided by third parties designed to help organisations record and manage cookie consent and demonstrate compliance with the ePrivacy Regulations and GDPR. The DPC stressed that users’ consent recorded by a CMP should be retained by the controller as part of their record of processing activities under Article 30 GDPR. Controllers must also limit the length of time such consent is valid for (which should be no longer than six months) and should re-obtain the users’ consent when the requisite time period for consent has expired.
- Analytics cookies: The DPC re-iterated that analytics cookies (such as those that measure the number of visitors to a website and the pages they visit) require the consent of the user before being placed on their device. The DPC states that first-party analytics cookies are not likely to create a privacy risk when they are strictly limited to first-party aggregated statistical purposes and are unlikely to be considered a priority for enforcement action. However, third party analytics i.e. those carried out by parties other than the controller, sometimes for their own purposes, may be considered to represent a greater privacy risk to the user.
- Third party buttons and widgets: Where controllers allow third parties to deploy ‘like’ buttons, plugins, widgets, pixel trackers or social media-sharing tools, they should be fully aware of what data is being transferred to those third parties. Further to the Court of Justice of the EU’s judgment in Fashion ID, website operators may be considered to be joint controllers in respect of personal data that is collected and disclosed to those third parties. Other third parties, such as payments processing services, may potentially act as processors on a controller’s behalf; thereby requiring a data processing agreement to be in place with the controller under Article 28 GDPR. Accordingly, website operators should take steps to ascertain the data processing relationships with all third parties involved in their website, and determine the responsibilities and liabilities arising from such relationships.
- Systemic tracking or profiling: Finally, the DPC stated that where a website’s processing operations involve (through cookies or otherwise): (i) the systematic monitoring, tracking or observing of individuals’ location or behaviour or the profiling of individuals on a large scale; or (ii) the combination, linking or cross-referencing of separate datasets that significantly contributes to or is used for profiling or behavioural analysis of individuals (particularly where different controllers are involved), then the controller must carry out a data processing impact assessment (“DPIA”) under Article 35 of GDPR.
Further to the Guidance, how long do controllers have to bring their websites into compliance with GDPR and the ePrivacy Regulations?
Whilst the DPC have already been quite active in enforcing ePrivacy Regulations infringements arising from unsolicited marketing communications, to date, they have been less active in relation to cookies requirements. However, this is now set to change.
As mentioned above, the DPC has allowed a short grace period (until 6 October 2020) for organisations to comply, after which time, enforcement action will be considered. In the meantime, the DPC is active with regards to ongoing communication with a large number of controllers across a range of sectors in the area of cookies.
Non-compliance and enforcement actions
If an organisation uses any cookies which process users’ personal data - the DPC’s enforcement powers will not be limited to those available under the ePrivacy Regulations. Where cookies which process personal data are concerned, the DPC may also use their extensive powers under GDPR and the Data Protection Act 2018 (i.e. inspections, audits, investigations and the higher levels of GDPR fines) in order to enforce compliance. Enforcement measures can also require organisations to suspend processing of personal data. Non-cooperation with the DPC can lead to a fine of up to 2% of turnover or €10m under Article 31 of GDPR.
In addition to the financial risks of enforcement actions, there is also the prospect of reputational damage and negative publicity. Where the DPC serves enforcement notices which are not complied with, details of the non-complying organisations concerned can be made publicly available in the DPC’s annual report.
You can find the DPC’s Report on their cookies sweep and the Guidance here. For further information or advice, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace Data Protection/GDPR Team.