Cookies & Website Tracking Technologies

On the 6th April 2020 the Irish Data Protection Commission (‘DPC’) issued its report on ‘the use of Cookies and other tracking technologies’. This report outlined that organisations are required to examine their practices with regard to the use of website Cookies and other tracking technologies, taking account of the DPC’s newly published guidance, and, where they identify any areas of non-compliance, to bring them into compliance by 5th October 2020.

Cookie Management

Current regulatory requirements for Cookie consent notices on websites are derived from the ePrivacy Directive (ePD) and personal data collected from Cookies and tracking technologies must be processed in line with the General Data Protection Regulation (GDPR).

What is a Cookie?

A Cookie is a small file downloaded on to a device when the user accesses certain websites. Cookies are then sent back to the originating website on each subsequent visit.

However, traditional Cookies are not just included in the remit of these guidelines; (LSOs) or ‘flash’ Cookies, software development kits (SDKs), pixel trackers (or pixel gifs), like’ buttons and social sharing tools, and device fingerprinting technologies are all also included.

Key Requirements

Article 5(3) ePrivacy Directive

Organisations should provide such individuals with comprehensive information (in accordance with Directive 95/46/EC) including but not limited to:

  • Identity of the organisation and its representative, if any;
  • Purpose of processing for which the data is intended; 
  • Additional details such as the recipients or categories of recipients of the data, whether provision of requested data is obligatory or voluntary, and the consequences of failure to respond to the request, existence of the individual's rights to access, correction, amendment, and/or deletion etc.

Organisations should provide individuals with a means to consent to and/or object to such processing.

General Data Protection Regulation

Where an organisation use Cookies, the organisation is able to demonstrate that the data subject has consented to the use of such Cookies. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.

Organisations should provide individuals with a means to consent to and/or object to such processing.

DPC Cookie Sweeps - Key Issues

It is very evident from the results of the DPC’s Cookie sweep that a significant number of organisations will be required to act now if they are to achieve compliance by the DPC’s stipulated deadline of the 5th October 2020. The following key issues were identified:

  • About two thirds of controllers were incorrectly relying on ‘implied consent’ for the setting of non-essential Cookies e.g. the verbiage in their Cookie banner stated that “by continuing to browse this site you consent to the use of Cookies”.
  • For the majority of websites, there was a lack of functionality for the user to vary or withdraw their consent.
  • For almost all websites Cookies (including non essential Cookies) were set immediately upon the users landing and prior to the user providing consent.
  • On some websites Consent Management Platforms (CMPs) were poorly deployed/designed leading them to be confusing and potentially misleading for users.

Find out more on how to prepare your website here.

Did you find this useful?