Irish DPC Guidance Note: How to Obtain Valid GDPR Cookie Consent
In April 2020, the Irish Data Protection Commission (DPC) released a report known as the ‘cookie sweep survey’, that examined the cookie policies and practices of 38 unnamed firms operating in Ireland.
It is important to note that other European Data Protection Authorities (DPAs) have recently provided similar guidelines. They are as follows:
- The UK’s Information Commissioner's Office (ICO)
- France’s Data Protection Agency (CNIL)
- The Belgian Data Protection Authority (APD)
With the imminent enforcement of the Irish DPC’s guidance on data controllers’ cookie policies and practices, this article will explore:
- What are the functions of cookies?
- What is the Irish Data Protection Commission’s Cookie guidance note?
- What is the Irish DPC’s ‘Cookie Sweep Survey’?
- What are the key findings of the Irish DPC’s ‘Cookie Sweep Survey’?
- What are the key takeaways from the Irish DPC’s guidance note on cookies?
- When should data controllers comply with Ireland DPC’s guidance note on cookies?
- How do I obtain valid GDPR cookie consent under the Irish DPC’s guidance note?
What are the Functions of Cookies?
Overall, cookie classification is based on three key principles:
Strictly necessary cookies – also known as essential cookies, this category of cookie is important since it allows you to navigate a website and use its features, such as accessing secure sections of the page.
This subcategory includes cookies that allow e-commerce stores to keep items in your shopping cart while you shop online.
Although both the GDPR and the ePrivacy Directive do not require websites to obtain consent for strictly necessary cookies, users should be made aware of what they are and why they are important.
Preference Cookies – The cookies under this subcategory allow a website to recall the choices you have made previously, such as language preference, the region from which you would like to receive reports, or your login details to allow you to sign in automatically. Preference cookies are also referred to as functionality cookies.
Statistics cookies – These cookies gather information about your website activities, such as the pages you accessed and the links you clicked on.
One important point to remember is that this data cannot be used to identify you. This is because the information has been aggregated, which simply means it has been anonymized.
For this reason, statistics cookies are focused on enhancing website functions. If these cookies are from third-party analytics service providers, the objective of their use remains the same so long as the information they collect is used exclusively by the website owner.
Marketing Cookies – Lastly, promotional cookies record your online activity to assist advertisers deliver more relevant advertising or to limit the number of times you see an ad.
Marketing cookies can share personal data with third-parties or adtech agencies for the purpose of digital marketing.
This type of cookie is persistent and is predominantly of third-party provenance.
Session Cookies – These are temporary cookies that expire when you close the browser.
Persistent cookies – These are cookies that remain on your device until you either delete them or your browser erases them based on their date of expiration.
Essentially, all persistent cookies have an expiry date written into their code, although the duration may vary.
First-party cookies – Primarily, these cookies are stored on your device or computer by the website you visit.
Third-party cookies – These refer to cookies that are placed in your device by a third party, such as an advertiser or an analytics system. In most cases, the website you are visiting does not store them on your device.
Nonetheless, it is essential to note that some cookies may not fit neatly into these categories, while others may qualify for more than one.
What is the Irish Data Protection Commission’s Cookie Guidance Note?
The Irish DPC’s guidance note contains regulations governing businesses' cookie policies and practices when collecting personal information from users.
Additionally, it emphasizes the overlap between the GDPR and the ePrivacy Directive in terms of cookie management and user consent.
In May, the EPDB issued guidelines that businesses must follow to be considered to have valid GDPR cookie consent.
Read our blog to learn more EDPB Guidelines on GDPR cookie consent here.
What is the Irish DPC’s ‘Cookie Sweep Survey?’
Between August and December 2019, the Irish DPC conducted a compliance review of the websites of 38 data controllers in Ireland, including those in media and publishing, retail, hospitality, insurance, sport and leisure, and the public sector.
This investigation examined how these data controllers comply with both the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
Specifically, the sweep focused on three key aspects:
- Identifying the types of cookies that the controllers' websites place on users' devices.
- Find out if the websites obtain GDPR-compliant cookie consent from users before collecting their personal information.
- Determining whether data controllers give users adequate information before installing cookies in their devices.
The Irish DPC used a three-color coding system to assess the level of compliance of data controllers: Red, Green, and Amber. While Green denoted full compliance, Red denoted non-compliance.
Only two of the 38 entities examined received the full 'Green' rating from the Irish DPC.
What are the Key Findings of the Irish DPC’s ‘Cookie Sweep Survey’?
The following are the main issues that Ireland's Data Protection Commission discovered during its investigation of 38 data controllers operating in the country:
- Businesses set extremely long and unnecessary life spans on cookies installed in consumers’ devices.
- Use of pre-checked cookie consent boxes on landing pages
- Use of poorly designed cookie banners
- A lack of distinct cookie policies distinct from the general website privacy notice
- A lack of understanding of both the GDPR and ePrivacy Directive’s definitions of cookies that are exempt from obtaining prior consent from users
What are the Key Takeaways from the Irish DPC Cookie Guidance Note?
According to the DPC, businesses must obtain user consent in line with GDPR requirements. This means the consent must be:
- Freely given
However, the guidelines provide two crucial exceptions, which are:
- The communications exemption
- The strictly necessary exemption
Communications exemption - This exemption applies to cookies used solely to facilitate communication over a network. It does not apply to cookies that help with this kind of transmission.
Strictly necessary exemption - This exception applies to websites or apps that are unquestionably requested by the user. The DPC advises businesses to avoid giving this exclusion a broad interpretation.
Duration of Cookies
The Irish DPC emphasizes that the expiry period of any cookie should be proportional to its purpose.
For example, cookies used to remember what a shopper has in their shopping cart should not be kept indefinitely.
Instead, it should expire once it serves its purpose.
Third-Party Buttons and Widgets
If you allow third parties to add plugins, widgets, pixel trackers, or "like" buttons, you need to be aware of the kind of data shared with these third parties.
The Irish DPC Guidance Note also acknowledges the EU’s Court of Justice’s (CJEU) ruling in the Fashion ID case, which stated that website operators can be considered as joint controllers of personal data collected and shared with third parties.
Similarly, third parties such as payment service providers can potentially serve as processors on the data controller’s behalf.
If you fall under this category, you will be required to have a GDPR-compliant data processing contract with the controller.
As a result, as a data processor, you should adopt measures to better understand your data processing engagements with third parties to identify the obligations and liabilities associated with such relationships.
The Irish DPC requires you to obtain prior and valid GDPR cookie consent from users before placing this category of cookies in their devices .
While first-party analytics cookies are unlikely to raise privacy issues when strictly limited to statistical purposes on your website, third-party analytics cookies are subject for GDPR compliance enforcement actions.
Periodic Updating of Consent
If you maintain records of your consumers’ consent to the installation of cookies on their devices, the Irish DPC guidance note specifies that the period after which their consent should be re-obtained must not exceed six months from the time it was first given.
Systemic Tracking or Profiling
The Irish Data Protection Commission’s guidance note requires you to conduct a GDPR-compliant Data Processing Impact Assessment (DPIA) if you:
- Systematically monitor, track, or observe an individual’s location or behavior of users on a large scale; or,
- Combine, link, or cross-reference different datasets to profile or analyze the behaviors of users.
Checklist for Compliance with the Irish DPA Guidance Note
To ensure compliance with the Irish DPC Cookie guidance note, you should at least follow the checklist below:
▢ Do not “nudge” users to accept cookies through the banner design (for example, make a "reject" button as prominent as an "accept" button)
▢ Do not use pre-ticked boxes or sliders
▢ Do not rely on browsing or scrolling to indicate consent
▢ Avoid bundling cookie consents (i.e., the cookie banner should outline specific purposes for which the cookies are used)
▢ Ensure that consent is reaffirmed within 6 months of the user's initial consent
How Do I Obtain Valid GDPR Cookie Consent under the Irish DPC Guidance Note?
You can obtain valid cookie consent from users using Secure Privacy's GDPR cookie banner. Our solution helps you to ensure that:
- You implement a layered approach to obtaining and explaining cookie consent to users. First, with the Secure Privacy cookie banner, you can inform users about the need for cookies and why their consent is vital for their placement. Second, our banner helps you explain to users the different types and analytics tools you use in your cookie notice.
- You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is obtained for every purpose by giving users a choice over the types of cookies to which they consent.
- You include an opt-in for every type of cookie on your website that is not pre-checked to demonstrate user consent on your website.
- You provide information on how to withdraw consent for using cookies within your cookie notice, and a mechanism to ensure that your visitors reaffirm their consent every six months.
- You record consents in a way that demonstrates the visitors' ability to withdraw.
- You include a link to the cookie notice to give users additional information, such as the third parties who will have access to their personal data if they agree to the installation of third-party analytics cookies.
For a personalized demo of our solution, schedule a call with us today and speak with a data privacy expert.
Alternatively, you can activate your free trial of our complete GDPR compliance solution.
Check out the other Cookie Consent Guidelines from other European Data Protection Authorities to see if you need to comply with them too:
Our detailed GDPR compliance guide
The ultimate guide to GDPR Cookie Consent Compliance
Want to try
Get your cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection