GENERAL
WHICH LOCAL LAW IMPLEMENTS THE EPRIVACY DIRECTIVE?
S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (2011 Regulations).
IS THERE ANY REGULATORY GUIDANCE ISSUED TO SPECIFICALLY ADDRESS COOKIES?
Yes – Data Protection Commission Guidance note on cookies and other tracking technologies which was published here and the corresponding report is available here.
CONSENT
CAN A USER PROVIDE CONSENT TO COOKIES VIA WEB BROWSER SETTINGS?
No – if a user's browser settings allow access to and storing of cookies generally, this does not amount to deemed consent for use of cookies on a specific website. The guidance notes that merely referring to such cookies which are usually enabled in browser settings (often third-party analytics), in a privacy policy for example, will not meet the transparency and information requirements under the relevant cookie laws.
ARE COOKIE WALLS ALLOWED?
No – cookie banners cannot indirectly force a user to accept cookies in order to enter the site. There must be granular, opt-in consent for each purpose for which cookies are used.
CAN CONSENT BE IMPLICIT, (I.E. THROUGH USE OF WEBSITE)?
No – the DPC highlights in its guidance that consent cannot be implied from use of the website: it must be clear that a user has actively engaged with the cookie banner and given unambiguous consent to use of cookies.
TRANSPARENCY AND RETENTION
ARE THERE SPECIFIC RULES OR GUIDANCE FOR COOKIE BANNERS?
Consents cannot be bundled – consent must be gained for each purpose for which a cookie is used. Organisations should adopt a layered approach to gaining and explaining consent to users. This may be achieved by a cookie banner; however, the guidance notes that the banner must not indirectly force a user to accept all cookies: a reject option should also be clear if such an accept option is available on the banner.
IS A SEPARATE COOKIE POLICY REQUIRED IN ADDITION TO THE WEBSITE PRIVACY POLICY?
Yes – the DPC guidance acknowledges that although some of the information within a cookie policy and a privacy notice may overlap, it is best practice to maintain both. Privacy and cookie policies should be accurate and kept up to date, and should be visible and readily available to users: the DPC warns that banners and other pop-ups should not obscure these.
ARE THERE ANY SPECIFIC RETENTION PERIODS FOR DATA HELD BY COOKIES?
Yes. The DPC indicates that six months is the longest period for storing user consent for cookies, and recommends that users have a readily available tool on the relevant website allowing them to regularly amend cookie consents.
DO ANY COOKIE RULES OR GUIDANCE APPLY DIFFERENTLY FOR FIRST-PARTY AND THIRD-PARTY COOKIES?
Yes. The DPC reminds organisations to consider all relationships with third parties who they may interact with. This could be through plugins, widgets, or social media sharing tools, for example. Organisations should know what personal data is being shared with third parties via cookies (or other means), and where controller-controller or controller-processor relationships may exist.
ENFORCEMENT
IS THERE ANY REGULATORY STRATEGY ON THE ENFORCEMENT OF COOKIE RULES?
The DPC has indicated that enforcement action on compliance with the new guidance will begin in October 2020, by which time organisations must bring their websites, apps, and other products which use cookies, into compliance. The areas which may be examined by the DPC in a potential enforcement include compliance and adherence to the key data protection principles, which apply where the cookies contain personal data. Examples given by the DPC in its report include accountability and transparency, as well as regarding data subject rights and general security obligations under the GDPR.
HAVE THERE BEEN ANY FINES ISSUED FOR NON-COMPLIANCE OF COOKIE RULES?
No.
HAVE THERE BEEN ANY COURT CASES ADDRESSING COOKIE COMPLIANCE?
No.
ADDITIONAL INFORMATION
The DPC emphasises that it is irrelevant whether personal data exists within the information access or stored in cookies. The guidance notes that the ePrivacy Regulations apply to information stored or access on such equipment, irrespective of whether the information includes personal data. Personal data may not always exist in cookies; however, when it does, GDPR obligations apply in addition. Examples of relevant GDPR considerations given by the DPC include transparency requirements, Article 28 contracts where appropriate and ensuring relevant processing is recorded in an Article 30 Records of Processing Activities (RoPA).
Consent is required for Analytics cookies. The DPC does indicate, however, that when carrying out enforcement action on cookie compliance, it is unlikely that first-party analytics will be an immediate priority for the DPC.
Originally published 27 November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
