Irish DPC Guidance Note: How to Obtain Valid GDPR Cookie Consent
In April 2020, the Irish Data Protection Commission (DPC) released a report, commonly referred to as the ‘cookie sweep survey’, that examined the cookie policies and practices of 38 undisclosed firms operating in Ireland.
It is important to note that in recent times, other European Data Protection Authorities (DPAs) have provided similar guidelines. They include;
With the enforcement of the Irish DPC’s guidance on data controllers’ cookie policies and practice set to begin, we explore;
- What are the functions of cookies?
- What is the Irish Data Protection Commission’s Cookie Guidance Note?
- What is the Irish DPC’s ‘Cookie Sweep Survey?’
- What are the key findings of the Irish DPC’s ‘Cookie Sweep Survey’
- What are the key takeaways from the Irish DPC’s Guidance on cookies?
- When should data controllers comply with Ireland DPC’s guidance on cookies?
- How do I obtain valid GDPR cookie consent under the Irish DPC’s Guidance Note?
What are the Functions of Cookies?
Overall, the classification of cookies is based on three crucial principles;
Strictly necessary cookies – also known as essential cookies, this category of cookies is important since it facilitates your browsing of a website and making use of its features such as accessing the safe sections of the page.
For example, the cookies that make it possible for e-commerce stores to keep items in your cart while shopping online fall under this subcategory.
Although both the GDPR and the ePrivacy Directive do not require websites to seek consent for strictly necessary cookies, what they do and their importance should be made clear to users.
Preference Cookies – The cookies under this subcategory make it possible for a website to recall the choices you have made previously, such as language preference, the region for which you would like to receive reports from, or your login details to allow you to sign in automatically. Preference cookies are also referred to as functionality cookies.
Statistics cookies – These cookies gather information about your activities on a website such as the kind of pages you accessed and the kind of links you clicked on.
A key aspect to consider is that this data cannot be used to identify you. This is because the information is aggregated, which simply means it is anonymized.
For this reason, statistics cookies are focused on enhancing website functions. In the event that these cookies are from third-party analytics service providers, the objective of their use remains the same so long as the information they collect is used exclusively by the website owner.
Marketing Cookies – Lastly, promotional cookies capture your online activity to assist advertisers in delivering more relevant advertising or to limit the number of times you see an ad.
Marketing cookies can share personal data with third-parties or adtech agencies for the purpose of digital marketing.
This type of cookies are persistent and are predominantly of third-party provenance.
Session Cookies – temporary cookies that expire the moment you close the browser.
Persistent cookies – refers to the cookies that are stored in your device until you either delete them or your browser erases them depending on their date of expiration.
Essentially, all persistent cookies have an expiry date written into their code, although this duration may vary.
First-party cookies – Primarily, these cookies are stored on your device or computer directly by the website you access.
Third-party cookies – refer to cookies placed in your gadget by a third-party such as an advertiser or an analytic system. In most cases, they are not stored in your devices by the website you are visiting.
Nonetheless, it is essential to note that some cookies may not fit neatly into these categories while others may qualify for multiple categories.
What is the Irish Data Protection Commission’s Cookie Guidance Note?
The guidance note provided by Ireland’s DPC contains regulations focused on governing the cookie policies and practices of businesses in collecting personal information from users.
Additionally, it emphasizes the overlap between the GDPR and the ePrivacy Directive in relation to the administration of cookies and user consent.
In May, the EPDB provided guidelines that businesses must satisfy to be considered as obtaining valid GDPR cookie consent.
Read our blog to learn more EDPB Guidelines on GDPR cookie consent here.
What is the Irish DPC’s ‘Cookie Sweep Survey?’
Between August and December 2019, the Irish DPC carried out a compliance review of websites of 38 data controllers in Ireland spread across different industries such as media and publishing, retail, hospitality, insurance, sport and leisure, as well as the public sector.
This investigation examined how these data controllers comply with both the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
Specifically, the sweep focused on three key aspects;
- Identifying the types of cookies placed in users’ devices by the controllers’ websites.
- Find out if the websites obtain GDPR-compliant cookie consent from users before collecting their personal information.
- Determining whether data controllers give users adequate information before installing cookies in their devices.
To measure the data controllers’ level of compliance, the Irish DPC used a coding system of three colors; Red, Green, and Amber. While Green denoted full compliance, the red color indicated non-compliance.
Out of the 38 entities examined, the Irish DPC only assigned the full ‘Green’ rating to two organizations.
What are the Key Findings of the Irish DPC’s ‘Cookie Sweep Survey?
The key concerns that Ireland’s Data Protection Commission found from its investigation of 38 data controllers operating in the country are;
- Businesses set extremely long and unnecessary life spans on cookies installed in consumers’ devices
- Use of pre-checked cookie consent boxes on landing pages
- Use of inadequately designed cookie banners
- A Lack of clear stand-alone cookie policies separate from the general website privacy notice
- A lack of understanding of both the GDPR and ePrivacy Directive’s definitions about the cookies that are exempted from obtaining prior consent from users
What are the Key Takeaways from the Irish DPC Cookie Guidance Note?
The DPC states clearly that businesses must obtain user consent in line with GDPR requirements. This means the consent must be;
- Freely given
However, the guidelines provide two crucial exceptions, which are;
- The communications exemption
- The strictly necessary exemption
Communications exemption - This exception is applicable to cookies used for the single purpose of facilitating communication over a network. It does not apply to cookies that help with this kind of transmission.
Strictly necessary exemption - This exception is applicable to websites or apps that have been unquestionably requested by the user. The DPC advises businesses to avoid applying a broad interpretation to this exclusion.
Duration of Cookies
The Irish DPC emphasizes that the expiry period of any cookie should be proportional to its purpose.
For example, your cookies for remembering what a shopper has in their shopping cart should not have an indefinite lifespan.
Instead, it should expire once it serves its purpose.
Third-Party Buttons and Widgets
In case you allow third parties to add plugins, widgets, pixel trackers, “like” buttons, you need to be aware of the kind of data that is shared with these third parties.
The Irish DPC Guidance Note also acknowledges the EU’s Court of Justice’s (CJEU) ruling in the case involving Fashion ID, which stated that website operators can be considered as joint controllers of personal data that is collected and shared with third parties.
Similarly, third parties such as payment service providers can potentially serve as processors on the data controller’s behalf.
If you fall under this category, you will be required to have a data processing contract with the controller in line with GDPR requirements.
Therefore, as a data processor, you should adopt measures to understand your data processing engagements with third parties to identify the obligations and liabilities applicable to such relationships.
The Irish DPC requires you to obtain prior and valid GDPR cookie consent from users before placing this category of cookies in their devices.
While first-party analytics cookies are considered unlikely to raise privacy issues when they are strictly restricted to your website statistical reasons, third-party analytics cookies are eligible for GDPR compliance enforcement actions.
Periodic Updating of Consent
If you maintain records of your consumers’ consent to the installation of cookies in their terminal devices, the Irish DPC guidance note directs that the appropriate duration after which their consent should be re-obtained must not exceed six months after it was first given.
Systemic Tracking or Profiling
The Irish Data Protection Commission’s Guidance Note requires you to conduct a GDPR-compliant Data Processing Impact Assessment (DPIA) if you;
- Systematically monitor, track, or observe an individual’s location or behavior of users on a large scale
- Combine, link, or cross-reference different datasets to profile or analyze the behaviors of users
When Should Data Controllers Comply with Ireland DPC’s Guidance Note on Cookies?
The DPC gave a short grace period that ends on 5 October 2020 for businesses to comply with the Guidance Note, after which, enforcement will begin.
How Do I Obtain Valid GDPR Cookie Consent under the Irish DPC Guidance Note?
With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:
- You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is sought for every purpose by giving users choice over the types of cookies to give consent to.
- You include an opt-in for every type of cookie on your website that is not pre-checked to show user consent
- You provide information on how to withdraw consent for using cookies within your cookie notice and a mechanism to guarantee that your visitors re-affirm their consent after every six months
- You record consents in a way that can show the visitors ability to withdraw
- You have a link to the cookie notice to give users additional information, such as the third parties that will have access to their personal data in case they give consent to the installation of third-party analytics cookies.
For a personalized demo of our solution, schedule a call with us today and speak with a data privacy expert.
Alternatively, you can activate your free trial of our complete GDPR compliance solution.
Our detailed GDPR compliance guide
The ultimate guide to GDPR Cookie Consent Compliance
Want to try
Get your cookie banner up and running today!
That also interest you
Data Subject Access Requests: Do's and Don’ts in Handling GDPR DSARs
Data Subject Access Requests (DSARs) are one of the less-talked-about GDPR requirements, but failure to handle them correctly could land your company in trouble.
ePrivacy Regulation vs GDPR: 4 Key Differences
The ePrivacy Regulation was set to come into force alongside the GDPR on May 25, 2018, but delays in the approval phase meant its implementation was delayed.
EDPB Guidelines on Targeting Social Media Users: 4 Quick Compliance Tips
EDPB guidelines on targeting social media users published in September 2020 bring new GDPR compliance obligations that social media service providers and targeters need to adopt.