Data Protection Commission (DPC) wanted to examine compliance with Regulation 5 of the ePrivacy Regulations
The Regulations protect privacy in electronic communications
Sweep sought to examine how controllers obtained the consent of users for the deployment of Cookies
Standard consent under GDPR must be 'freely given, specific, informed, unambiguous'
Controllers and Participants were chosen across a range of sectors and based on the popularity of their websites
What is the Law?
Regulation 5(3) of the ePrivacy Regulations (SI No. 336/2011)
A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless:
The subscriber or user has given his or her consent to that use, and
The subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which: is both prominently displayed and easily accessible, and includes, without limitation, the purposes of the processing of the information.
Are there any Exemptions?
The 'communication' exemption: Cookies whose sole purpose is for carrying out the transmission of a communication over a network. For example, a load-balancing cookie used to distribute network traffic across different servers.
The 'strictly necessary' exemption: Applies to a service delivered over the internet such as a website or an app and in addition, the service must have been explicitly requested by the user. For example, a session cookie used to keep track of items that the user places in an online shopping basket, these cookies expire at the end of the session
Key figures and findings of the Cookie sweep
40 controllers targeted, 38 responses
10 controllers deployed pre-checked boxes or sliders- which is not compliant
Two-thirds of controllers rely on 'implied' consent
Just under one-third of controllers had already identified improvements
Controllers keen to obtain updated guidance from the DPC
Concerns arising from Cookies Sweep
Use of 'implied' consent model to set cookies
Badly designed or barely visible banners or poor presentation of information
Non-exempt cookies, including dozens of ad trackers, set without consent
Pre-checked boxes or sliders set to the 'ON' position
Lack of clarity on how consent can be withdrawn
Inability for users to reject cookies without going to browser settings
Interfaces designed to 'nudge' users into accepting cookies (e.g. 'OK, Got it!')
Advertising trackers on health-related websites
Inadequate information about tracking technologies such as pixels
Cookies with very long lifespans (100 years and longer) and no clarity as to their purpose
Some lack of awareness about joint controllership
Confusion between S.I 336/2011 and EU's proposed ePrivacy Regulation
Quality of information provided about cookies and the identity of the controller(s)
How can controllers comply?
It is acceptable to provide information about all types of cookies (by function) in the first layer and to provide an ACCEPT ALL option once there is an equally prominent REJECT ALL option
Controllers may also choose to add a 'manage settings' option to the interface to provide more detailed information and more granular consent in the second layer
Overall the DPC are not prescriptive about how cookie banners or consent management tools are designed- controllers will policy and design choices to make
On the 6th of April 2020, the guidance and sweep report was distributed to controllers, representative bodies, compliance organizations and to the DPC's DPO network (over 1,800 DPOs)
A team within the Special Investigations Unit is actively examining the practices of new controllers across every sector on a daily basis
There is a deeper technical examination now taking place in relation to tracking cookies
Controllers can expect enforcement action where they fail to bring their practices into compliance
The deadline of the 5th of October 2020 for when controllers will need to be fully compliant with Regulation 5 of the ePrivacy Regulations.
If you have any queries regarding the Cookie Sweep and how your organisation can become compliant, you can book a meeting with a member of the Sytorus Team by clicking on the link below: