The Irish DPC Launches New Guidance on Cookies & Tracking Technologies

Earlier this month, the Irish Data Protection Commission (DPC) published new guidance on the use of cookies and tracking technologies, as well as a report summarizing the DPC’s findings following a “cookie sweep” of select websites across a range of sectors.

In this blog post, we take a look at the report’s findings, as well as the new Guidance provided by the DPC.

The “Cookie Sweep”

Between August and December 2019, the DPC requested information from certain popular websites in Ireland to examine the use and deployment of cookies and tracking technologies on their website.

The DPC’s goal was to establish how and whether organizations are complying with the current Irish cookie law rules, and whether users’ consent for non-necessary cookies or tracking technologies is being obtained as required under the General Data Protection Regulation (GDPR).

The DPC will allow a six-month period from the date of the publication of the Guidance to bring websites and mobile apps into compliance before enforcement begins.

Main Findings From the Report

Key findings of the cookie sweep include:

• Pre-checked consent boxes: 10 of the 38 controllers used pre-checked boxes to signal consent to cookies, such as marketing and analytics cookies.
• Reliance on Implied consent model: Two-thirds of the organizations specifically stated that they were relying on an implied consent model to set cookies, based on the language in the cookie banners.
• Non-necessary cookies immediately set: On all but one website examined, cookies, including non-necessary cookies, were set the landing page when visitors first landed on the web page.  
• “Necessary” cookies classified incorrectly: Many organizations miscategorized the cookies deployed on their websites as “necessary” or “strictly necessary.”
• Bundling of consent for all purposes: For most organizations, users couldn’t control consent for different purposes.

According to the report, more than half of the organizations signaled either that they were aware they may not be compliant with the existing rules, or that they had identified improvements that they could make to their websites in order to demonstrate compliance.

Moving Forward With DPC’s Guidance

There are similarities between the Guidance and other guidance produced by EU data protection authorities and, specifically, the guidance produced last summer by the UK Information Commissioner’s Office (ICO). However, there are certain areas where the DPC is taking quite a unique stance.

Key takeaways from the DPC’s new cookie guidance include:

• Analytic cookies require consent. The guidance states that it is “unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC”. 
• Pre-checked boxes are non-compliant. Generally consistent with other European guidance, organizations must ensure that no non-necessary cookies and similar technologies, pixel trackers, or social sharing buttons are set on the landing page of their site or app.
• Implied consent is unacceptable. Leveraging an implied consent approach is no longer deemed compliant.
• Guidelines for implementing a cookie banner:
  • Outline that the organization is requesting consent for the use of cookies and similar technologies for specific purposes;
  • Allow the user to reject non-necessary cookies and similar technologies, or to request more information about the use of cookies and similar technologies;
  • Provide an equal prominence to the “accept” and “reject” buttons, or to an option which brings users to a second layer of information and allows them to manage their cookie settings;
  • Enable users to change their cookie preferences at any time

Organizations have a six-month window to get in compliance with the DPC’s new cookie guidance; after that period, the DPC may take action to enforce the guidance.

How CookiePro Helps

Scan Your Website and Gain an Understanding of Your Website’s Privacy Health

• Schedule scans on a regular basis for ongoing monitoring to keep your team up-to-date on any changes
• Scan your website against Cookiepedia, the world’s largest database of pre-categorized cookies and trackers
• Automate the identification and categorization process of behavior tracking technologies on your website

Collect Valid User Consent and Tailor Your Cookie Banner to Match Your Brand

• Tailor your consent banner to match your company’s brand including display, color, content, and language
• Customize your consent approach from notice only, opt-out, implied, opt-in or customize your own
• Leverage geolocation capabilities to display unique consent approaches based on the users’ location

Enable Preference Centers Catered to Meet Your Organization’s Needs

• Leverage templates or build custom preference centers to give users greater control over their cookie settings
• Enable flexible user interfaces with customizable user experience elements to match your brand and build loyalty
• Allow visitors to customize their cookie consent based on cookie type (strictly necessary, analytics, targeting, etc.)