The “Cookie Sweep”
Between August and December 2019, the DPC requested information from certain popular websites in Ireland to examine the use and deployment of cookies and tracking technologies on their website.
The DPC’s goal was to establish how and whether organizations are complying with the current Irish cookie law rules, and whether users’ consent for non-necessary cookies or tracking technologies is being obtained as required under the General Data Protection Regulation (GDPR).
The DPC will allow a six-month period from the date of the publication of the Guidance to bring websites and mobile apps into compliance before enforcement begins.
Main Findings from the Report
Key findings of the cookie sweep include:
- Pre-checked consent boxes: Ten of the 38 controllers used pre-checked boxes to signal consent to cookies, including to marketing and analytics cookies.
- Reliance on Implied consent model: Two-thirds of the organizations specifically stated that they were relying on an implied consent model to set cookies, based on the language in the cookie banners.
- Non-necessary cookies immediately set: On all but one website examined, cookies, including non-necessary cookies, were set the landing page when visitors first landed on the web page.
- “Necessary” cookies classified incorrectly: Many organizations miscategorized the cookies deployed on their websites as “necessary” or “strictly necessary.”
- Bundling of consent for all purposes: For most organizations, users couldn’t control consent to different purposes.
According to the report, more than half of the organizations signaled either that they were aware they may not be compliant with the existing rules, or that they had identified improvements that they could make to their websites in order to demonstrate compliance.
Moving Forward with the DPC’s Guidance
There are similarities between the Guidance and other guidance produced by EU data protection authorities and, specifically, the guidance produced last summer by the UK Information Commissioner’s Office (ICO). However, there are certain areas where the DPC is taking quite a unique stance.
Key takeaways from the DPC’s new cookie guidance include:
- Analytics cookies require consent. Cookies, targeting cookies, and marketing cookies require users’ prior consent. However, first-party analytics cookies are considered potentially low risk and therefore are unlikely to be a priority for any formal enforcement action by the DPC.
- Pre-checked boxes are non-compliant. Generally consistent with other European guidance, organizations must ensure that no non-necessary cookies and similar technologies, pixel trackers, or social sharing buttons are set on the landing page of their site or app.
- Implied consent is unacceptable. Leveraging an implied consent approach is no longer deemed compliant, which according to the report, two-thirds of the controllers relied on this approach.
- Guidelines for implementing a cookie banner:
- Provide an equal prominence to the “accept” and “reject” buttons, or to an option which brings users to the second layer of information and allows them to manage their cookie settings
- Enable users to change their cookie preferences at any time
Organizations have a six-month window to get in compliance with the DPC’s new cookie guidance; after that period, the DPC may take action to enforce the guidance. To learn more, sign up for the webinar.