On April 6, 2020, the Irish Data Protection Commission (DPC) released a report explaining the findings following a cookie sweep of websites across a range of industries. With the release of this report came a list of guidance notes for companies to follow when using cookies and other tracking technologies.
In this post, we’re going over the report findings and how they directly impact you and the way your business is currently tracking cookies.
The Cookie Sweep
Between August and December of 2019, the DPC ran what is known as a Cookie Sweep. It sent a questionnaire to 40 organizations in Ireland across a wide range of industries to examine how they’re currently using cookies and tracking technologies.
The DPC’s goal?
It was to examine how cookies and other tracking technologies are being used across organizations. In addition, the DPC wanted to determine whether organizations are maintaining compliance under current Irish cookie laws such as EU ePrivacy Directive and GDPR.
The Cookie Sweep Findings
The DPC emphasized this sweep wasn’t a direct shot at the ad tech industry. But the findings showed organizations are either confused about current legislation or are outright ignoring them.
Key findings included:
- Almost all of the websites examined had cookies set immediately on their landing pages. In many cases, this meant unnecessary cookies.
- 26% of the organizations presented pre-checked boxes to signal consent for cookies.
- Many respondents miscategorized cookies deployed on their websites as “necessary.”
- Most of the organizations bundled consent (e.g. users were unable to pick and choose for which purposes cookies were being used.)
- And lastly, most of the websites didn’t offer tools for users to withdraw cookie choices at a later stage.
40% of the organizations that responded to the questionnaire signaled they were aware they may not be complying with existing regulations or knew their website needed improvements in order to comply.
New Cookie Guidance: Your Top 7 Questions Answered.
Clearly, based on these results, something has to give. Companies are taking major risks ignoring compliance from existing EU privacy regulations. So without reading the entire cookie guidance page, what does your company need to know?
Here are your top 7 questions answered.
Q: What is a cookie?
A: A cookie is a tool that can give organizations helpful insight into their users’ activity on their sites and help provide the best user experiences. Typically stored in text files, cookies are pieces of data. Websites placing these pieces of data on users’ computers to store a variety of information specific to the device they’re accessing the site from, such as the browser or mobile phone. Read up on everything you need to know about cookies here.
Q: What is considered a “non-necessary” cookie and can my organization deploy it?
A: A non-necessary cookie includes:
- Local storage objects or flash cookies
- Software development kits
- Pixel trackers
- Like buttons and other social sharing tools
- Fingerprint device technologies
These can’t be placed on your landing pages or site apps.
Q: Do I need to collect user consent, and if so, what’s required to do so?
A: Yes, you need to collect user consent. Using a cookie banner is acceptable provided that:
- The cookie banner or popup provides both an accept and reject button or provides a second layer option in which the user can manage his or her cookie settings.
- The second layer of information must provide detailed information about the purpose of cookie collection and the third parties that will process any information collected when those cookies are deployed. The second layer must also provide users with the option to accept or reject cookies by type and purpose via checkboxes that aren’t pre-checked as if consent has already been given.
Q: Do I need to provide users the ability to change their cookie preferences?
A: Yes. You need to provide either a cookie button or radio button on your website that reveals sliders or on/off consent options.
Q: How long does user consent last?
A: Cookies should have a lifespan of six months. Similar to the CNIL in France, the DPC requires renewing user consent after 6 months of appropriation.
Q: Are all cookies judged equally under DPC?
A: No. Analytics cookies, targeting cookies, and marketing cookies require user consent and are prioritized under DPC. However, first-party analytics cookies are considered potentially low risk and are unlikely to have formal enforcement.
Q: How should organizations handle third parties using cookies?
A: Organizations are responsible for examining the role of their third-party vendors using cookies on their website or app. Specifically, they must be aware of the possible joint data controller issues bubbling up from the use of third-party asses and plugins. Where required, businesses should put into place data processing agreements with their vendors which must reflect the actual facts regarding data processing.
Conclusion: Cookie Compliance Is Required
The DPC guidelines make it pretty clear that organizations are required to comply with the current cookie law regulations. It provided a six-month window before companies will face enforcement for noncompliance, giving organizations only a few more months to prepare.
Luckily, compliance isn’t as hard as you might think thanks to tools such as OneTrust’s Cookies and Website scanning tools. Managing compliance and scanning, identifying, and sorting website behavior trackers (including cookies) has never been easier. Give it a try for free today.