Irish DPC: New guidance on cookies and similar technologies
29 April 2020
The report and guidance (announced here) set out the views of the DPC, lead supervisory authority to some of the biggest multinational tech corporations based in Dublin such as Facebook, Google and Apple, on the impact of the General Data Protection Regulation (GDPR) on the cookie rules contained in the Privacy and Electronic Communications Regulations (PECR).
Similar guidance has recently issued by other European regulators, including the ICO, the CNIL (available here in French) and most recently the Belgian Data Protection Regulator (available here in French and Dutch). However, unlike those other regulators, the DPC has accompanied their guidance with scrutiny of 38 organisations’ practices, perhaps giving some indication that the DPC intends to take a more active stance when it comes to enforcing non-compliance with cookie rules.
- Implied consent and pre-checked boxes are not permitted – Inferring consent from a user continuing to navigate a site and/or using pre-checked boxes (see the decision in Planet 49) or sliders does not constitute freely given, specific, informed and unambiguous consent to the setting of cookies (as required under the GDPR). This is perhaps not surprising, but it does contrast with the position from the Spanish DPA which indicates that users may give their consent by scrolling or clicking a link.
- Implementation of consent management platforms (CMP) should be effective – The use of a CMP will not in itself ensure compliance. Controllers need to ensure these tools work in the manner intended and the buttons on the user interface are clear and do what they purport to do. In particular:
- a clear cookie consent button is needed and on/off settings need to take into account accessibility and avoid binary red/green choices which may be unclear and detrimental to colour blind users.
- where sliders are set by default to ‘on’ and the user’s choice to turn these cookies off is not respected, the DPC has explicitly said this will be a priority for enforcement.
- Overreliance on the ‘necessary’ exemption – The DPC found that controllers had a poor understanding of the ‘necessary’ or ‘strictly necessary’ exemption. The DPC stressed that the exemption is extremely narrow and can only apply to a service that has been explicitly requested.
- Analytics cookies are not exempt – Consent is required for analytics cookies but, taking a similar approach to the UK ICO, the DPC says first party analytics cookies are considered potentially low risk and are therefore unlikely to be a priority for any formal action.
- Cookie consents should be refreshed every 6 months – Consent for cookies should be limited to a timespan of 6 months, after which time consent should be refreshed.
- Analysis of joint controller status is required – Controllers should take into account the implications of the July 2019 Fashion ID judgement of the Court of Justice of the European Union, in relation to possible joint controllership issues in respect of data collected by third-party plugins and social ‘like’ buttons.
- Bundling consent is not permitted – Consent isn’t needed for each individual cookie, but opt in consent must be obtained for each purpose for which the cookies are set. Taking an ‘all or nothing’ approach and offering a binary choice to accept or reject all cookies does not achieve compliance. Further pre-ticked boxes, sliders or other similar tools (including tools within a preference centre) that automatically set non-essential cookies to “on” by default also do not achieve compliance.
- Cookie walls – the DPC’s view is that users should not suffer any detriment (i.e. blocking access to a website) on the basis that they have not consented to cookies, other than to the degree certain website functionality is impacted. This is a stricter approach than that adopted by other regulators, including the ICO which says that this approach is unlikely to constitute consent but notes that data protection rights are not absolute and must be balanced against other rights, including freedom of expression and freedom to conduct a business. On the other side of the fence, the Spanish DPA permits cookie walls, provided that the user is informed that they won’t be able to access the site and the user is not prevented from exercising a legal right.
- Processing sensitive personal data requires explicit consent – There is a risk that some cookies involve the processing of special category data based on inferences drawn from the nature of the site that a user has visited (e.g. a health insurer’s website). The use of this data may only take place with the user’s explicit consent.
The report highlights deficiencies in compliance by some of Europe’s most high-profile companies (we assume). The DPC has taken the opportunity to restate its enforcement powers, although interestingly there is an emphasis on investigation as opposed to fines. The DPC has allowed a six month time period for controllers to comply with the new guidance, after which they say action will be taken. Six months is a relatively short time period, and website and app operators should undertake a cookie audit and take swift action to fall into line.
The DPC is also carrying out separate enquiries into the ad-tech sector, so we expect guidance on this to be issued soon. For the ICO’s recent commentary on this topic please see our article here.