Takeaways

The Irish Data Protection Commission has issued new cookies and tracking Guidance and a Report following an inspection of cookie use and similar technologies across a selection of well-known websites.
Of 38 websites surveyed only two were found to be substantially compliant with the ePrivacy Directive and GDPR.

Businesses tracking website visitors and customers via cookies and other techniques are reminded that this is an area of increased scrutiny and many prior practices won’t be acceptable. Regulators have signalled changes need to be made to comply and they will increase enforcement.

Hot on the heels of the UK Information Commissioner’s Office and the French CNIL, the Irish Data Protection Commission (DPC) has issued new cookies and tracking Guidance and a Report. This followed an inspection and survey of the use of cookies and similar technologies across a selection of the most well-known websites operating in a range of sectors, including the media and publishing, retail, restaurant and food delivery, insurance, sport and leisure and public sectors. The DPC also included in its review a number of websites which had come to its attention following the receipt of complaints from individuals concerning cookie use, and from the DPC’s own observations of bad practice.

In short, the Guidance echoes that already issued by other EU DPAs, including:

  • “Implied” consent (i.e., where consent to use of cookies is implied from a website visitor’s continued scrolling or clicking after having seen a cookie banner) is not valid. (Consent must meet the GDPR standard.)
  • Cookie banners must not “nudge” users into accepting cookies over rejecting them, and equal prominence must be given to an option which allows a user to reject cookies or manage cookies, as an option which allows a user to accept cookies.
  • Cookie banners which do not include a reject button are non-compliant.
  • Where checkboxes and sliders are used, these must be set to off by default (as per the Planet49 judgement).
  • Consent must not be “bundled” for multiple purposes, or with terms and conditions for a contract for services provided, and must be easily withdrawable.
  • Cookie banners must link to further information on use of cookies, withdrawing consent and the third parties to which data will be transferred.

The Report Findings
The Report summarizes the DPC’s main concerns regarding cookie use, including:

  • Of the 38 websites surveyed, the majority were found to have compliance issues, and only two were found to be substantially compliant with the ePrivacy Directive.
  • Two-thirds of the websites surveyed were found to rely on “implied” consent including for analytics and marketing cookies, and on the more troubling end, some of the websites were found to offer no choice at all; the inability to vary or withdraw consent was common; and there was confusion as to the meaning of “necessary” and “strictly necessary” cookies.

The DPC has expressed particular concern around the use of tracking, analytics and marketing cookies by health companies, and the sharing of sensitive health data by these companies with the likes of Facebook and Google for advertising purposes. In these cases, websites may be processing special category data and sharing it with third parties without a lawful basis, which is a breach of the GDPR.

Those operating websites should note that the goalposts have moved, and current practices need to be reviewed and likely changed to comply to avoid the new tougher enforcement focus and fines. This is also not just an EU issue; many U.S. businesses will be caught.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.