The use of consent for cookies and tracking technologies came into sharp focus again recently after some key regulatory developments. In April, the Data Protection Commission (DPC) published a report into cookie use on Irish websites and mobile apps. It followed up with a guidance note and announced a six-month period for complying with the new laws governing cookies. In May, the European Data Protection Board (EDPB) adopted cookie consent guidelines. In this blog, we summarise the main points from these publications and highlight actions data controllers now need to take.
(A quick legal sidebar: Regulation 5 of the ePrivacy Regulations protects the confidentiality of electronic communications in Ireland. This legislation is separate to, but complements, the General Data Protection Regulation (GDPR). Organisations need to comply with both laws, but the rules under the ePrivacy legislation apply first when it comes to using browser cookies and other tracking technologies such as device fingerprinting or pixels. It doesn’t matter whether the information contains personal data.)
Cookies crumble: what the DPC found
Other issues in the report included cookie lifespan not being proportional and data controllers not honouring the consents users gave. The DPC also highlighted a point that will be familiar to anyone who browses the web. Some complex cookie consent tools or banners appeared only to offer an option to ‘accept all’. The DPC’s guidance note is a 17-page document that goes into some examples of non-compliance in more detail. (It also produced a podcast about this subject.)
Meanwhile in Europe… updated consent guidelines
The EDPB adopted an updated version of its guidelines on consent which focused on three key points:
- Access to a service provided by data controller cannot be conditional on a user’s consent to the processing of their personal data via cookies or tracking technologies.
- A user scrolling or swiping through a website does not satisfy the criteria for clear and affirmative consent.
How to comply with cookie and tracking technologies requirements
In providing its guidance note, the DPC effectively gives data controllers time to implement measures to comply with cookie laws. After that, the DPC may take enforcement actions and launch investigations if satisfactory controls are not in place. So what do data controllers need to consider?
- They must have explicit consent for most cookies (some exemptions apply, see below).
- As a data controller, they cannotoutsource cookie compliance.
- They must ensure they have taken all measures by October 5, 2020.
Taking some initial steps, these four factors should form the basis for your compliance review:
- Involve all relevant stakeholders
- Determine what technology resources you need
- Audit all cookies and tracking methods your site or app uses
- Ensure that the focus is on transparency for the visitors to your site or app.
Cookie consent considerations
First, determine what classification your cookies fall into:
- Strictly necessary (see below)
- Analytics/ marketing
- Other categories as determined.
There are two types of cookies classified as exempt, which don’t require consent. They are:
Communication exemption: a cookie whose sole purpose is to route information over a network to identify communication endpoints, i.e. but if the cookie is being used to help web pages to load faster, will not meet the requirements.
Strictly necessary: the exemption applies to ‘information society services’ (ISS) – i.e. a service delivered over the internet, such as a website or an app. In addition, that service must have been explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service.
Some controllers use a consent management platform or consent management provider (CMP) to help them manage users’ cookie choices . This can help to help them meet their transparency obligations under data protection law. However the CMP must adhere to the requirements outlined here and doesn’t assume responsibility for compliance; that still remains with the data controller.
Data controllers also need to take accessibility into account in designing interfaces for cookie banners, sliders or checkboxes. Consider people with visual impairments or colour blindness and the type of colour schemes you need to use.
Getting consent in practice
- Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used.
- You cannot rely on a user scrolling or swiping through your site/ mobile app as an affirmative action. As an example, a banner which states that “continued browsing will be deemed acceptance of all cookies” is not compliant with the GDPR, as per the EDPB’s recent guidelines.
- A cookie’s lifespan must be proportionate to its function. It would not be considered proportionate to have a session cookie with a lifespan of ‘forever’, for example.
- Users of a site or app cannot be deemed to have consented just because they are using a browser or other application which by default enables the collection and processing of their information.
Here are some graphical examples of compliant consent tools.
Letting users withdraw or amend consent
Users must be able to withdraw consent as easily as they gave it. That means no ‘bundled’ consent for cookies with consent for other purposes, or with terms and conditions for a contract for other services the business provides.
- Any record of consent must also be backed up by demonstrable organisational and technical measures that ensure a data subject’s expression of consent (or withdrawal) can be effectively acted on.
October 5 will be here sooner than we think. Now the national and European guidance gives data controllers the tools they need to comply with the laws on cookies. Time to act now.
Have you signed up to our monthly newsletter? Every month we send out cybersecurity and data protection trends from across the globe, with an eye on the future of security and privacy, as chosen by our consultants.. Sign up here