The Data Protection Commission Cookie Sweep: The law in Practice
In August 2019, the Data Protection Commission (DPC) re-embarked on a cookie sweep to assess the general lay of the land across the jurisdiction. This involved an examination of a series of websites across a broad range of sectors, such as Media, Retail, Insurance and a selection of public bodies. A key focal point here was a series of organisations who had already been reported to the DPC due to a lack of compliance in this space.
The report, published in April 2020 revealed what many already knew to be the case; organisations and businesses offering goods and services in Ireland have a dreadful sweet tooth and aren’t overly fond of letting data subjects block their access to the cookie jar.
The DPC provided exceptionally clear guidance on this topic, and in conjunction with a lengthy grace period of 6 months from the date of the published report and guidance for data controllers to bring their websites and mobile apps into compliance, there are no excuses after DPC-mandated deadline of October 5th 2020 when strict enforcement is set to begin.
The Law in Practice
Of the 38 websites surveyed in the sweep, two-thirds of organisations were found to go straight for the jar without asking for any form of permission. Cookies were deployed on the end-users hardware prior to any interaction with the corresponding pop-up, regardless of the pop-up’s level of compliance in terms of the choice offered. Now, it is worth mentioning at this point that getting your organisation’s cookie consent right is, by no means, an easy task. There are just so many variables to consider here – what information does your business wish to obtain? What information do you actually require?, Have you got the ability/capacity to run this entirely in-house? How do you set about informing the end-user? How long should cookies be left active? The list goes on. Compounding this is the fact that, despite the legislation coming into force over a decade ago, it’s only in the last 8 months that we’ve seen some landmark enforcement around its interplay with the GDPR (and the clarification that came with that).
For many years, organisations were under the impression that you could simple deploy cookies on the fly and, provided you gave website visitors an adequate heads-up that the technology would be deployed should they continue scrolling, you were good to go. This left us with the well-known string of pop-up banners we have all come to love and now simply recognise as a hallmark of the internet. Often the responsibility was (and still is to this day…) placed on the individual user to manipulate their browser settings in such a way as to either accept or deny cookies. The main problem with this being that most browser settings lack the granularity of choice to differentiate between different categories of cookies/trackers – thus falling afoul of Art.4. Within the ePrivacy space, and more specifically with regard to tracking technologies, the GDPR’s standard of consent is now king and has been ruling, un-contested, over its domain ever since the Planet49 case came to a head in October 2019.
But wait, there are exemptions to consent, right? We “need” to drop certain cookies every now and then just to make our websites work and facilitate our visitors needs right? Well…sort of... The DPC flagged that there was a general misconception around what constitutes a “strictly necessary” cookie/tracker. The legislation itself reads as follows: The requirement to obtain consent to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user…
“does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”.
The initial text denotes the use of load-balancing cookies and those used to ensure security. Without such technologies, the site will not operate as expected and may leave visitors or site owners vulnerable. The latter half of the text is more ambiguous but the keywords here are “explicitly requested”. So while it is perfectly acceptable for an online retailer to drop session cookies to handle shopping cart requirements without consent (as their potential customer clearly requires this to avail of the service offered), automatically dropping a persistent tracking cookie for analytical purposes will not fit the bill. The exemption essentially requires a two-step-test:
- The data subject has explicitly requested a service and;
- The cookies/trackers being deployed surmount to the bare minimum required to facilitate that request.