by Laura Fannin , Ruth Prendeville April-21-2020 in Commercial & Business, Data Protection

Introduction

On 6 April 2020, the Data Protection Commission (the “Commission”) published its report following an examination of the use of cookies and similar technologies by 38 websites across a range of industries including insurance, food delivery services and media and publishing.  On the same day, the Commission published its updated guidance note on cookies and similar technologies.

 

Cookies and the law

Before considering the Commission’s report and guidance note, it is useful to briefly summarise the law that applies to the use of cookies and similar technologies (collectively referred to in this article as “cookies”).

The ePrivacy Directive and the Irish ePrivacy Regulations of 2011 (which implement the ePrivacy Directive in Ireland) (the “ePrivacy Laws”) govern the use of cookies.  The General Data Protection Regulation (“GDPR”) is also relevant to the extent that cookies often involve information that contains personal data.

The general rule under the ePrivacy Laws is that users must consent before cookies can be placed on their devices.

The ePrivacy Laws were due to be updated with the introduction of the GDPR on 25 May 2018, but this did not ultimately come to pass. 

The Data Protection Commission in its guidance on cookies has determined that consent under the ePrivacy Laws must be the GDPR-standard of consent.  Such consent must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action by the user to be valid. Consent must be obtained from a user before cookies are deployed.  

 

The Commission’s findings

Although the cookie practices of the 38 websites examined naturally varied in many respects, the Commission reported a number of trends and areas of particular concern in the cookies practices employed by the online service providers.  Key points of note include the following:

 

Implied consent

Based on the wording of their cookie banners (for example, “by continuing to browse this site you consent to the use of cookies”), the Commission considered that approximately two-thirds of the online service providers it examined relied on a model of “implied consent” to set cookies.  In the Commission’s view, consent by implication, such as by a user continuing to scroll or click through a website, does not reach the GDPR-standard of consent that is required by the ePrivacy Laws to set cookies.

 

Options to accept and reject cookies

The Commission considered that many of the cookie banners examined offered no choice other than to “accept” cookies without any option to “reject” them or did not provide a link to additional information about the cookies used on the website.  Even where cookie banners had an option to learn more about cookies, in many cases this did not include a layered option to accept or reject cookies according to their functions.  This resulted in what the Commission referred to as a “nudging” approach, whereby users were effectively forced into accepting all cookies. 

The Commission emphasised that users must be given clear and comprehensive information about the cookies that are used and each of their purposes, and an option to reject cookies must have an equal prominence to an option to accept them.

For many of the websites, the Commission noted that a wide range of cookies were set as soon as users landed on the website without any engagement by users with a cookie banner or consent management platform.

 

Pre-ticked boxes

On 1 October 2019, the Court of Justice of the European Union clarified in the Planet49 case that collecting users’ consent to place cookies on their devices through the use of pre-checked boxes does not constitute valid consent under the ePrivacy Laws. 

The Commission reported that 26% of the websites it examined had pre-checked boxes to signal consent to cookies.  In some cases, the Commission found that users’ cookie choices were not honoured even after pre-checked boxes were deselected.

The Commission suggested that the use of pre-checked boxes will be a particular point of focus, stating that online service providers “will need to act expeditiously to amend their interfaces, which it is clear do not comply with EU law.”  The Commission also stated that some further engagement with these online service providers will be required in order to draw this issue to their attention.

 

Inability to vary or withdraw consent

The Commission noted that an inability to vary or withdraw consent was common among the websites it examined.  In some cases, the website used cookies to remember users’ consent state for a set period of time, such that users who consented to cookies on an earlier visit to the website would not be given the opportunity to vary or withdraw their consent to cookies on subsequent visits.  The Commission suggested in its updated guidance document that, if an online service provider uses a cookie to remember a user’s consent to cookies, they should ask the user to reaffirm their consent at six-month intervals thereafter.

The Commission proposed that a possible design solution to this issue would be a “cookie button” showing sliders or on/off options that users could interact with each time they visit a website.

 

The Commission’s view on analytics cookies

Analytics cookies are generally used by online service providers to analyse how users interact with their websites in order to improve and optimise the services they are providing.  Such cookies tend to collect aggregated information about users for statistical purposes and are therefore considered to be less invasive than other types of cookies such as tracking, targeting or marketing cookies.

Under the ePrivacy Laws, cookies that are strictly necessary to deliver the service that the user has requested do not require consent. 

In its report, the Commission emphasised that analytics cookies are not “strictly necessary” and therefore require consent under the ePrivacy Laws.  However, the Commission stated that first-party analytics cookies (those used only by the online service provider or a processor acting on its behalf to measure how users use a website) are considered to be low risk and it is therefore unlikely that they would be a priority for any formal action by the Commission.  This view is to be welcomed by online service providers for whom analytics cookies are key to understanding the performance of their online services and how they can be improved.

 

Conclusion – what happens next?

The Commission has stated that online service providers must voluntarily bring their cookie practices into line with the requirements of the ePrivacy Laws and GDPR as outlined in its report and guidance note by early October 2020, after which it will examine the most appropriate enforcement options to bring those in default into compliance.

Those operating online services should now carefully consider their cookie practices in light of the Commission’s report and guidance note, with a particular focus on the manner in which consent to cookies is obtained and stored, and the information that is provided to users about the cookies that are deployed.

 

Click here to see the Commission’s full report.

Click here to see the Commission’s updated guidance document.

 

For further information, please contact Laura Fannin lfannin@hayes-solicitors.ie or Ruth Prendeville rprendeville@hayes-solicitors.ie at Hayes solicitors.


Read related articles: 

Back to Full News