Irish Data Protection Commission releases guidance on the use of cookies and other tracking technologies

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites conducted between August 2019 and December 2019 across a range of sectors. On April 15, 2020, the DPC issued an updated version of the report, which is available here.
  In addition, the DPC also issued on April 6, 2020 a new guidance on the use of cookies and other tracking technologies.
 
Key takeaways from the DPC's guidance include the following:

• The rules set out in the guidance are applicable not only to cookies but also to other tracking technologies, including local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), ‘like’ buttons and social sharing tools, and device fingerprinting technologies. 
• The general rule is that it is necessary to get consent in order to store or set cookies, regardless of whether the cookies or other tracking technologies actually contain personal data. The ePrivacy requirements apply when any information is stored on or accessed from the user's device. Additionally, where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and other tracking technologies that may be used to target or profile individuals, this constitute personal data and its processing is also subject to the rules set out in the GDPR. 
• Reminder that the consent for the setting of cookies must be of the standard defined in the GDPR, Article 4(11), which requires that the ‘consent’ of the data subject be “freely given, specific, informed and unambiguous indication of the data subject’s wishes". 
• There are two exemptions to the requirement to obtain consent:
  • The 'communications exemption': cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example to identify the communication endpoints.
  • The 'strictly necessary exemption': The exemption applies to an ‘information society service’ (i.e. a service delivered over the internet) explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service. 
• Analytics cookies require consent, however the guidance states that it is "unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC". 
• Consent may not be “bundled” for multiple purposes. It is not permitted to ‘bundle’ consent for cookies with consent for other purposes, or with terms and conditions for a contract for other services. It is also not permitted to use pre-checked boxes, sliders or other tools set to ‘ON’ by default to signal a user’s consent to the setting or use of cookies. Finally, the user must be able to withdraw consent as easily as they gave it. 
• If cookies are used to store a record on the user's device that a user has given consent to the use of cookies, then the user should be asked to reaffirm their consent no longer than six months after the consent state has been stored. The DPC notes that "while the legislation does not prescribe a specific lifespan for such cookies, based on a first-principles analysis by the DPC, we consider this to be the appropriate default outer timeframe for storing the user’s consent state. A controller would need to objectively and on a case-by-case basis justify storage for a longer period." 
• No specific rule on how consent should be obtained. The guidance simply states: "Most websites choose to implement a cookie banner or pop-up, which displays when a user lands on the website and which provides the first layer of information about the use of cookies and other tracking technologies. This banner or notice will also often contain a link to a cookies policy and a privacy policy which provide further, more detailed information." 
• Wording in the cookie banner or notice which inform users that, by their continued use of the website – through either clicking, using or scrolling it - that their consent to set cookies is assumed, is not permissible. It is not possible to obtain consent by ‘implication’ to set cookies. Cookie banners that disappear when a user scrolls, without any further engagement by the user, are also not permissible. 
• Even though there may sometimes be duplication in the information provided in the cookies policy and privacy policy, it is good practice to maintain both, in order to facilitate the different layers of information required under the ePrivacy requirements and the GDPR. 
• Pre-checked boxes and sliders do not comply with European law, as has been clarified in the Planet49 judgment issued in October 2019. 
• If a third-party consent management provider (CMP) is used, the tool or software must do what it purports to do and it must not contain pre-checked boxes signaling ‘consent’ for the use of cookies. The length of time such consent is valid for is no longer than six months, after which time the user must be prompted to give their consent again. 
• Users of the website cannot be deemed to have consented simply because they are using a browser or other application which, by default, enables the collection and processing of their information. 
• If cookies are used to track the location of a device or a user, this can only be done with the user’s consent. 
• Accessibility should be taken into account in relation to the design of interfaces, for example color schemes for cookie banners or sliders and checkboxes that blend into the overall background of a site may make a website harder to navigate, particularly for people with vision impairments or color blindness. 
• A website operator should consider its relationship with any third party whose assets are deploy on the website. For example, where features such as ‘like’ buttons, plugins or widgets, pixel trackers or social media-sharing tools are deployed, the website operator should be aware of what data is being sent to third parties and that the website operator may be considered a controller in respect of any personal data collected and disclosed to those third parties. This position was set out by the Court of Justice of the European Union in the Fashion ID judgment case in July 2019. 
• The lifespan of a cookie must be proportionate to its function. The DPC does not consider it proportionate to have a session cookie with a lifespan of ‘forever’, for example. 
• There is a grace period of six months from the publication of this guidance for controllers to bring their products into compliance, after which enforcement action will commence (the date of publication of the guidance is 6 April 2020).