What Are the Irish DPC Cookie Guidelines?
Last Updated: November 6, 2020
On April 6, 2020, the Irish Data Protection Commission (DPC) released a report explaining the findings following a cookie sweep of 40 websites of organizations in Ireland across a range of industries. With the release of this report came a list of guidance notes for companies to follow when using cookies and other tracking technologies.
Findings from Cookie Sweep
The DPC’s findings showed organizations are either confused about current legislations or were ignoring them. In addition, the DPC wanted to determine what were the most difficult aspects of compliance for website operators under current Irish and EU law:
- Almost all the websites examined had cookies set immediately on their landing pages
- 26% of the organizations presented pre-checked boxes to signal consent for cookies
- 75% of the organizations stated they rely on a model of “implied consent”
- Many respondents miscategorized cookies deployed on their websites as “necessary”
- Many of the organizations had poorly designed cookie banners that offered no choice to reject
- Most of the organizations bundled consent
- Most websites didn’t offer tools for users to withdraw cookie choices at a later stage
Irish DPC Cookie Guidelines
- Analytic cookies require consent. The guidance states that it is “unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC”.
- Pre-checked boxes are non-compliant. Generally consistent with other European guidance, organizations must ensure that no non-necessary cookies and similar technologies, pixel trackers, or social sharing buttons are set on the landing page of their site or app.
- Implied consent is unacceptable. Leveraging an implied consent approach is no longer deemed compliant.
- Guidelines for implementing a cookie banner:
- Provide an equal prominence to the “accept” and “reject” buttons, or to an option which brings users to a second layer of information and allows them to manage their cookie settings;
- Enable users to change their cookie preferences at any time
Cookie Compliance Checklist – Collect valid consent and demonstrate compliance
- Scan website to understand the cookies and third-party trackers currently used on your website(s)
- Categorize cookies and trackers appropriately by purpose and set the cookie lifespan for six months
- Configure a cookie banner to pop up at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose
- Create a preference center that provides detailed information about the purpose of cookie collection and the third parties that will process any information collected when those cookies are deployed
- In the preference center, provide users with the option to accept or reject cookies by type and purpose via checkboxes that aren’t pre-checked as if consent has already been given.
- Build a centrally located, historical consent database to demonstrate compliance to regulators and auditors
- Store records of modifications to cookie banner settings or preferences in a detailed, historical audit log