Traditional approach to cookie banners swept aside by DPC report
Last month, the Data Protection Commissioner (DPC) released a report showing its findings following a cookie “sweep” of a select number of websites across a range of sectors in the economy.
The report may have fallen through the cracks for many due to all the attention around the Covid-19 response.
Key findings of the cookie sweep report
Following the “sweep” conducted by the DPC it found that 26% of data controllers were found to have used pre-checked boxes to acquire consent for cookies, including marketing, advertising and analytics cookies. It highlighted that “these controllers will need to act expeditiously to amend their interfaces, which it is clear do not comply with EU law”.
One of the other key findings from the sweep shows that on almost all the websites examined, cookies were set immediately on the landing page including non-necessary cookies.
In many cases organisations misclassified cookies as “necessary” or “strictly necessary” and relied on implied consent.
Cookie banners offering no choice other than an “accept” button and no link to a cookie policy were a feature on many websites. In many cases there were no visible cookie preference settings for users to change or withdraw cookie choices even in instances where the organisation had already deployed a consent management platform. Another issue the DPC found was the “bundling” of consent for all purposes.
Scale of the report
From August to December 2019 the DPC carried out the sweep sending a questionnaire to 40 organisations and examining the use of cookies and similar technologies on a selection of popular websites in Ireland.
As part of the sweep the DPC received 38 controllers responses and graded each of the responses according to a red, amber, green system. Only 2 controllers received a green grading, 20 were graded amber and 12 had a red rating which is substantial compliance issues, particularly the use of implied consent for cookies.
As many organisations may be aware the ePrivacy Regulations require that you obtain consent in order to gain any access to information stored on the device of a user, or to store any information on the person’s device.
The Irish ePrivacy Regulations, implemented by Statutory Instrument (S.I.) No. 336 of 2011 transposes into law the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC).
The DPC’s aim was to examine how cookies are deployed, and to establish how and whether organisations are complying with the current Irish cookie law rules, and in particular, whether users’ consent for non-necessary cookies or tracking technologies is being obtained in line with the requirements of the EU General Data Protection Regulation (GDPR).
For most organisations it means they will need to implement a mechanism to get consent to setting the cookies to be compliant. Traditionally this has been a simple pop-up banner that includes a link to the cookies policy and states that continuing to use the website will constitute consent to setting cookies (often with a button that lets a user dismiss the banner).
Function of cookies
Cookies are usually small text files stored on a device, such as a PC, a mobile device or any other device that can store information. The regulations make use of the word terminal equipment which can include the use of a mobile device, a computer or any device connected to the internet (so-called ‘Internet of Things’).
Cookies serve several important functions, including to remember a user, to keep track of items in an online shopping cart or to keep track of information when you input details into an online application form. Authentication cookies are also important to identify users when they log in to many essential online services.
Certain cookies can also be used to help web pages to load faster and to route information over a network. The information stored in cookies can include personal data, such as an IP address, username, a unique identifier, or an email address. But it may also contain nonpersonal data such as language settings or information about the type of device a person is using to browse the site.
New approach required
Recent case law of the European Court of Justice has indicated that this is not sufficient to comply with the requirements post GDPR, and that the following rules apply:
Other than strictly necessary cookies (i.e. cookies without which the website will not function), no cookies should be set until the user has taken a positive action to indicate consent to the cookies
Pre-ticked boxes are not acceptable, by default the cookies should not be set
Consent should be provided for different categories of cookie separately
Banners must give equal prominence to “accept” and “reject” buttons and a link to information that allows users to manage their cookie settings
Considering the above, organisations need a fully compliant cookie policy and will need to implement a pop-up or banner to gain consent for different cookie categories.
If your organisation’s website uses cookies and wants to comply with the EU law standard on cookies, it will need to implement a cookie consent tool.
In its guidance notes the DPC says cookies should only be set a lifespan that is proportionate to the function of the cookie. For example, a session cookie used for when you add an item to your shopping cart on an online shopping website, but it also generally disappears when a user closes their browser. There are other cookies that are persistent and are used to track a user over time and these cookies can have exceptionally long lifespans. If a cookie is used to store a record that a user has given consent to the use of a cookie, this cookie should have a lifespan of 6 months.
For more information on Irish ePrivacy regulations, the cookies sweep, and guidance notes made available by the DPC check out the information below.
Guidance notes made available following the sweep
Irish ePrivacy Regulations
The Irish ePrivacy Regulations, implemented by Statutory Instrument (S.I.) No. 336 of 2011 transposes into law the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC).
Regulation 5(3), 5(4) and 5(5) from in the Irish ePrivacy regulations states:
5(3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless
(a) the subscriber or user has given his or her consent to that use, and
(b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which –
(i) is both prominently displayed and easily accessible, and
(ii) includes, without limitation, the purposes of the processing of the information. ?
5(4) For the purpose of paragraph (3), the methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent.
5(5) Paragraph (3) does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
About the author:
Gerard Kiely is a project manager at Arekibo with an interest in content strategy having had experience as a journalist.
More about Irish Tech News and Business Showcase here
FYI the ROI for you is => Irish Tech News now gets over 1.5 million monthly views, and up to 900k monthly unique visitors, from over 160 countries. We have over 860,000 relevant followers on Twitter on our various accounts & were recently described as Ireland’s leading online tech news site and Ireland’s answer to TechCrunch, so we can offer you a good audience!
Since introducing desktop notifications a short time ago, which notify readers directly in their browser of new articles being published, over 50,000 people have now signed up to receive them ensuring they are instantly kept up to date on all our latest content. Desktop notifications offer a unique method of serving content directly to verified readers and bypass the issue of content getting lost in people’s crowded news feeds.
Drop us a line if you want to be featured, guest post, suggest a possible interview, or just let us know what you would like to see more of in our future articles. We’re always open to new and interesting suggestions for informative and different articles. Contact us, by email, twitter or whatever social media works for you and hopefully we can share your story too and reach our global audience.
Irish Tech News
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.