Ireland’s Cookie Compliance Deadline Is Approaching…Are You Ready?

Earlier this year, the Irish Data Protection Commission (“DPC”), which is responsible for enforcing GDPR compliance in Ireland, published a report regarding how websites across a range of industries are using cookies and tracking technologies, as well as new guidance regarding what’s required to comply with GDPR from a cookie consent perspective. If you’re collecting data from Irish residents, you should review your cookie compliance protocols to ensure you’re not running afoul of GDPR.

What Prompted This Action?

Between August and December 2019, the DPC sent questionnaires to a number of popular websites in Ireland in an effort to examine how cookies and tracking technologies are deployed, and to determine whether organizations are:

1) Complying with the current Irish cookie law rules; and

2) Obtaining users’ consent for non-necessary cookies or tracking technologies in line with the requirements of GDPR.

The results obtained by the DPC, explained below, were eye-opening and prompted them to issue new, explicit guidance to put companies on notice about their obligations when collecting information from Irish citizens through the use of cookies and tracking technologies.

What Did The DPC Find?

The DPC caught most companies with their hands in the cookie jar, and either through intentional acts or willful ignorance, most companies are violating key tenets of GDPR through their use of cookies and tracking technologies. Key findings include:

· Non-essential cookies are running without consent on landing pages: On almost all the websites examined, non-necessary cookies were running prior to obtaining the required explicit consent from a website visitor

· Pre-checked consent boxes: 26% of the responding organizations presented pre-checked boxes to signal consent to cookies, including to marketing and analytics cookies

· Implied consent: Two-thirds of the organizations stated that they were relying on implied consent through “scrolling” or telling the user to control cookies through browser settings

· Misclassification of cookies as “necessary”: Many organizations miscategorized what are analytic or marketing cookies as either “necessary” or “strictly necessary”

· Badly designed cookie banners and consent-management platforms (“CMPs”): Badly designed cookie banners and CMPs were also a feature on some websites (e.g., cookie banners offering no choice other than an “accept” button without any link to additional information about cookies, and with the cookies policy or privacy policy in the page footer obscured by the banner)

· Bundling of consent for all purposes: For most organizations, consent was “bundled”, meaning users were unable to provide consent to particular purposes for which cookies were being used.

· No visible functionality to change cookie settings: Most websites did not offer tools for users to vary or withdraw cookie choices at a later stage, despite the deployment of third-party vendors’ CMPs by some organizations.

Nearly half of the organizations who responded admitted that they were either aware they weren’t compliant with the existing rules or that they were trying to implement changes to achieve compliance. However, the DPC made clear that given some of the response provided “that even the changes proposed by controllers may not serve to bring them into full compliance.”

How Did The DPC Respond?

After picking their jaws up off of the floor from seeing how rampant noncompliance was among respondents, the DPC issued guidance regarding how companies can deploy a compliant cookie consent protocol.

Key takeaways from the DPC’s new cookie guidance include:

· Organizations must ensure that non-essential cookies (e.g. social sharing tools or pixel trackers) are not set to automatically run on the landing page of their site or app;

· Obtaining users’ consent by implementing a cookie banner or pop-up is acceptable, provided that:

· the cookie banner or pop-up provides a compliant experience by requesting explicit consent and providing additional information regarding cookie usage, rather than using wording such as “by continuing to use the site, you consent to the use of cookies”;

· the cookie banner or pop-up is not designed in a way that “nudges” a user into accepting cookies over rejecting them. In practice, if there is an “accept” button on the banner, the banner must give equal prominence to a “reject” button, or to an option which brings users to a second layer of information and allows them to manage their cookie settings; and

· this second layer of information must provide more detailed information about the types and purposes of cookies or other technologies being set, and the third parties who will process information collected when those cookies and similar technologies are deployed. It also must provide users with options to accept or reject such cookies/similar technologies by cookie type and purpose, e.g., via checkboxes that must not be pre-checked, or sliders that must not be set to “on” by default;

· Users must also be able to change their cookie preferences at any time;

· If a cookie is used to store a record that a user has given consent to the use of cookies, this cookie should have a lifespan of up to 6 months;

· Any record of consent must be backed up by demonstrable organizational and technical measures that ensure a user’s expression of consent (or withdrawal) can be effectively acted on; and

· Analytics cookies, targeting cookies and marketing cookies require users’ prior consent.

The DPC made it clear that they expect organizations to comply with the current cookie law rules. After issuing the guidance in April 2020, organizations had a six-month grace period to get in compliance with the DPC’s new cookie guidance, which expires on October 5, 2020. Starting October 6, 2020 the DPC may take action to enforce the guidance.