New Guidance on Cookies and Tracking Technologies
Hoping everyone is safe and well in these challenging times.
With just over two weeks to go before the Data Protection Commission (DPC) begins enforcing its new guidance on web cookie compliance, we are reminding members to familiarise themselves with the guidance and to speak to their website provider for more information and to identify issues of non-compliance.
In April, the DPC gave businesses operating websites and apps six months to bring their policies and practices in line with this new advice on cookie management. Businesses now have until 5th October 2020 to voluntarily remedy any identified issues and to ensure compliance to avoid facing financial penalties.
Main points from the DPC’s guidance include the following:
- The rules set out in the guidance are applicable not only to cookies but also to other tracking technologies, including local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), ‘like’ buttons and social sharing tools, and device fingerprinting technologies.
- The consent for the setting of cookies must be in accordance with GDPR, Article 4(11), which requires that the ‘consent’ of the data subject be “freely given, specific, informed and unambiguous indication of the data subject’s wishes”.
- There are two exclusions to the requirement to obtain consent:
Ø The ‘communications exemption’: cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example to identify the communication endpoints.
Ø The ‘strictly necessary exemption’: The exemption applies to an ‘information society service’ (i.e. a service delivered over the internet) explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service.
- Analytics Cookies: While analytics cookies require consent, the guidance states that it is “unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC”.
- Wording in the cookie banner or notice which inform users that, by their continued use of the website – through either clicking, using, or scrolling it – that their consent to set cookies is assumed, is not permissible. It is not possible to obtain consent by ‘implication’ to set cookies. Cookie banners that disappear when a user scrolls, without any further engagement by the user, are also not permissible.
- Pre-checked boxes and sliders do not comply with European law, as has been clarified in the Planet49 judgment issued in October 2019.
- Users of the website cannot be deemed to have consented simply because they are using a browser or other application which, by default, enables the collection and processing of their information.
- If cookies are used to track the location of a device or a user, this can only be done with the user’s consent.
- Accessibility should be taken into account in relation to the design of interfaces, for example colour schemes for cookie banners or sliders and checkboxes that blend into the overall background of a site may make a website harder to navigate, particularly for people with vision impairments or colour blindness.
- Third party buttons and widgets: A website operator should consider its relationship with any third party whose assets deploy on the website. For example, where features such as ‘like’ buttons, plugins or widgets, pixel trackers or social media-sharing tools are deployed, the website operator should be aware of what data is being sent to third parties and that the website operator may be considered a controller in respect of any personal data collected and disclosed to those third parties. This position was set out by the Court of Justice of the European Union in the Fashion ID judgment case in July 2019.
- The lifespan of a cookie must be proportionate to its function. The DPC does not consider it proportionate to have a session cookie with a lifespan of ‘forever’, for example.
For further information on Cookies and Tracking Technologies, check out the DPC guidance which provides direction and support in ensuring compliance. Please contact Emma at SFA on 01 605 1668 or at email@example.com for further advice.