New Guidance on Cookies and Tracking Technologies

Hoping everyone is safe and well in these challenging times.

With just over two weeks to go before the Data Protection Commission (DPC) begins enforcing its new guidance on web cookie compliance, we are reminding members to familiarise themselves with the guidance and to speak to their website provider for more information and to identify issues of non-compliance.

In April, the DPC gave businesses operating websites and apps six months to bring their policies and practices in line with this new advice on cookie management. Businesses now have until 5th October 2020 to voluntarily remedy any identified issues and to ensure compliance to avoid facing financial penalties.

Main points from the DPC’s guidance include the following:

  • The rules set out in the guidance are applicable not only to cookies but also to other tracking technologies, including local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), ‘like’ buttons and social sharing tools, and device fingerprinting technologies.
  • The use of cookies requires a General Data Protection Regulation (GDPR) valid consent, regardless of whether the cookies or other tracking technologies contain personal data. These ePrivacy requirements apply when any information is stored on or accessed from the user’s device. Additionally, where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and other tracking technologies that may be used to target or profile individuals, this constitute personal data and its processing is also subject to the rules set out in the GDPR.
  • The consent for the setting of cookies must be in accordance with GDPR, Article 4(11), which requires that the ‘consent’ of the data subject be “freely given, specific, informed and unambiguous indication of the data subject’s wishes”.
  • There are two exclusions to the requirement to obtain consent:

Ø  The ‘communications exemption’: cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example to identify the communication endpoints.

Ø  The ‘strictly necessary exemption’: The exemption applies to an ‘information society service’ (i.e. a service delivered over the internet) explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service.

  • Analytics Cookies: While analytics cookies require consent, the guidance states that it is “unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC”.
  • Consent may not be “bundled” for multiple purposes. It is not permitted to ‘bundle’ consent for cookies with consent for other purposes, or with terms and conditions for a contract for other services. It is also not permitted to use pre-checked boxes, sliders or other tools set to ‘ON’ by default to signal a user’s consent to the setting or use of cookies. Finally, the user must be able to withdraw consent as easily as they gave it.
  • If cookies are used to store a record on the user’s device that a user has given consent to the use of cookies, then the user should be asked to reaffirm their consent no longer than six months after the consent state has been stored. The DPC notes that “while the legislation does not prescribe a specific lifespan for such cookies, based on a first-principles analysis by the DPC, we consider this to be the appropriate default outer timeframe for storing the user’s consent state. A controller would need to objectively and, on a case,-by-case basis justify storage for a longer period.”
  • No specific rule on how consent should be obtained. The guidance simply states: “Most websites choose to implement a cookie banner or pop-up, which displays when a user lands on the website and which provides the first layer of information about the use of cookies and other tracking technologies. This banner or notice will also often contain a link to a cookies policy and a privacy policy which provide further, more detailed information.”
  • Wording in the cookie banner or notice which inform users that, by their continued use of the website – through either clicking, using, or scrolling it – that their consent to set cookies is assumed, is not permissible. It is not possible to obtain consent by ‘implication’ to set cookies. Cookie banners that disappear when a user scrolls, without any further engagement by the user, are also not permissible.
  • Even though there may sometimes be duplication in the information provided in the cookies policy and privacy policy, it is good practice to maintain both, in order to facilitate the different layers of information required under the ePrivacy requirements and the GDPR.
  • Pre-checked boxes and sliders do not comply with European law, as has been clarified in the Planet49 judgment issued in October 2019.
  • Consent Management Provider (CMP): If a third-party CMP is used, the tool or software must do what it purports to do, and it must not contain pre-checked boxes signalling ‘consent’ for the use of cookies. The length of time such consent is valid for is no longer than six months, after which time the user must be prompted to give their consent again.
  • Users of the website cannot be deemed to have consented simply because they are using a browser or other application which, by default, enables the collection and processing of their information.
  • If cookies are used to track the location of a device or a user, this can only be done with the user’s consent.
  • Accessibility should be taken into account in relation to the design of interfaces, for example colour schemes for cookie banners or sliders and checkboxes that blend into the overall background of a site may make a website harder to navigate, particularly for people with vision impairments or colour blindness.
  • Third party buttons and widgets: A website operator should consider its relationship with any third party whose assets deploy on the website. For example, where features such as ‘like’ buttons, plugins or widgets, pixel trackers or social media-sharing tools are deployed, the website operator should be aware of what data is being sent to third parties and that the website operator may be considered a controller in respect of any personal data collected and disclosed to those third parties. This position was set out by the Court of Justice of the European Union in the Fashion ID judgment case in July 2019.
  • The lifespan of a cookie must be proportionate to its function. The DPC does not consider it proportionate to have a session cookie with a lifespan of ‘forever’, for example.

For further information on Cookies and Tracking Technologies, check out the DPC guidance which provides direction and support in ensuring compliance. Please contact Emma at SFA on 01 605 1668 or at for further advice.