The use of consent for cookies and tracking technologies came into sharp focus again recently after some key regulatory developments. In April, the Data Protection Commission (DPC) published a report into cookie use on Irish websites and mobile apps. It followed up with a guidance note and announced a six-month period for complying with the new laws governing cookies. In May,  the European Data Protection Board (EDPB) adopted  cookie consent guidelines. In this blog, we summarise the main points from these publications and highlight actions data controllers now need to take.

(A quick legal sidebar: Regulation 5 of the ePrivacy Regulations protects the confidentiality of electronic communications in Ireland. This legislation is separate to, but complements, the General Data Protection Regulation (GDPR). Organisations need to comply with both laws, but the rules under the ePrivacy legislation apply first when it comes to using browser cookies and other tracking technologies such as device fingerprinting or pixels. It doesn’t matter whether the information contains personal data.)

Cookies crumble: what the DPC found

Last year, the DPC examined 40 data controllers’ websites or apps for their use of cookies and similar technologies. The review covered sectors like media, retail, restaurants and food ordering, insurance, sport and leisure, and the public sector. The report found compliance issues with almost all data controllers’ sites or mobile apps  it reviewed. These included: setting cookies when a user arrives on their site/ app without consent; use of pre-ticked boxes in the consent banner; misinterpretation of the definition of a necessary cookie (which may provide an exemption to the need for consent); the lack of inclusion of third party tracking technology as part of cookie consent; and confusion around implied consent from a user’s browser settings.

Other issues in the report included cookie lifespan not being proportional and data controllers not honouring the consents users gave. The DPC also highlighted a point that will be familiar to anyone who browses the web. Some complex cookie consent tools or banners appeared only to offer an option to ‘accept all’. The DPC’s guidance note is a 17-page document that goes into some examples of non-compliance in more detail. (It also produced a podcast about this subject.)

Meanwhile in Europe… updated consent guidelines

The EDPB adopted an updated version of its guidelines on consent which focused on three key points:

  • Access to a service provided by data controller cannot be conditional on a user’s consent to the processing of their personal data via cookies or tracking technologies.
  • Cookie walls (where users can’t access a site or mobile app unless they consent to the use of cookies) are not compliant with the GDPR.
  • A user scrolling or swiping through a website does not satisfy the criteria for clear and affirmative consent.

How to comply with cookie and tracking technologies requirements

In providing its guidance note, the DPC effectively gives data controllers time to implement measures to comply with cookie laws. After that, the DPC may take enforcement actions and launch investigations if satisfactory controls are not in place. So what do data controllers need to consider?

  • They must have explicit consent for most cookies (some exemptions apply, see below).
  • As a data controller, they cannotoutsource cookie compliance.
  • They must ensure they have taken all measures by October 5, 2020.

Taking some initial steps, these four factors should form the basis for your compliance review:

  • Involve all relevant stakeholders
  • Determine what technology resources you need
  • Audit all cookies and tracking methods your site or app uses
  • Ensure that the focus is on transparency for the visitors to your site or app.

Cookie consent considerations

First, determine what classification your cookies fall into:

  • Strictly necessary (see below)
  • Analytics/ marketing
  • Functional
  • Other categories as determined.

There are two types of cookies classified as exempt, which don’t require consent. They are:

Communication exemption: a cookie whose sole purpose is to route information over a network to identify communication endpoints, i.e. but if the cookie is being used to help web pages to load faster, will not meet the requirements.

Strictly necessary: the exemption applies to ‘information society services’ (ISS) – i.e. a service delivered over the internet, such as a website or an app. In addition, that service must have been explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service.

Some controllers use a consent management platform or consent management provider (CMP) to help them manage users’ cookie choices . This can help to help them meet their transparency obligations under data protection law. However the CMP must adhere to the requirements outlined here and doesn’t assume responsibility for compliance; that still remains with the data controller.

Data controllers also need to take accessibility into account in designing interfaces for cookie banners, sliders or checkboxes. Consider people with visual impairments or colour blindness and the type of colour schemes you need to use.

Getting consent in practice

Data controllers can’t “bundle” consent for multiple purposes. They should outline in a first layer of communication that they are requesting consent to use cookies for specific purposes. They may then use a second layer of information to provide more detail about the types of cookies or other tracking technologies in use. They can then give the user options to opt in or accept these cookies.

  • Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used.
  • You are not allowed to use pre-checked boxes, sliders or other tools set to ‘ON’ by default to signal a user’s consent to the setting or use of cookies. These do not comply with European law.
  • You cannot rely on a user scrolling or swiping through your site/ mobile app as an affirmative action. As an example, a banner which states that “continued browsing will be deemed acceptance of all cookies” is not compliant with the GDPR, as per the EDPB’s recent guidelines.
  • A cookie’s lifespan must be proportionate to its function. It would not be considered proportionate to have a session cookie with a lifespan of ‘forever’, for example.
  • Users of a site or app cannot be deemed to have consented just because they are using a browser or other application which by default enables the collection and processing of their information.
  • If your organisation will process any special category data derived from the use of cookies or other tracking technologies, you will require the explicit consent of those individuals whose data you are processing.
  • You must not use cookies or other technologies to track the location of a user or a device without consent. If you set cookies that are used to track the location of a device or a user, you may only do this with the user’s consent.

Here are some graphical examples of compliant consent tools.

Cookies 1

Cookies 2

Cookies 3

Letting users withdraw or amend consent

Users must be able to withdraw consent as easily as they gave it. That means no ‘bundled’ consent for cookies with consent for other purposes, or with terms and conditions for a contract for other services the business provides.

  • You should provide information about how users can signify and later withdraw their consent to the use of cookies
  • If you use a cookie to store a record that a user has given consent to the use of cookies, you should ask the user to reaffirm their consent no longer than six months after you have stored this consent state. As a practical solution, consider the use of an easy tool such as a ‘radio button’ on your website which allows users to control which cookies are set and to allow them to vary their consent at any time
  • Any record of consent must also be backed up by demonstrable organisational and technical measures that ensure a data subject’s expression of consent (or withdrawal) can be effectively acted on.

October 5 will be here sooner than we think. Now the national and European guidance gives data controllers the tools they need to comply with the laws on cookies. Time to act now.

 

Have you signed up to our monthly newsletter? Every month we send out cybersecurity and data protection trends from across the globe, with an eye on the future of security and privacy, as chosen by our consultants.. Sign up here