Latest / 24 September
In April this year, The Data Protection Commission (DPC) issued a new Guidance note on cookies and other tracking technologies. It is to do with new legistlation called the EU ePrivacy Directive, that complements the General Data Protection Regulations (GDPR). Nail biting stuff!
The ePrivacy Directive protects the privacy of the communications of individuals. The terminal equipment or device – such as computers and other devices, including mobile phones – of users of electronic communications networks (the internet to you and me) and any information stored on such equipment are part of the private sphere of users, requiring protection under international human rights instruments.
The purpose of the law on cookies is to protect individuals from having information placed on their devices, or accessed on their devices, without their consent, that may interfere with the confidentiality of their communications.
The ePrivacy Regulations require that you obtain consent in order to gain any access to information stored in the device of a subscriber or user, or to store any information on the person’s device. This means you must get consent to store or set cookies, regardless of whether the cookies or other tracking technologies you are using contain personal data.
The ‘consent’ of the data subject means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
As a website owner, you are potentially using cookies for analytics purposes or for marketing, targeting or profiling purposes and you may choose to assign them to certain categories when you provide information for users on your website. Cookies that fall under these categories require consent. This includes cookies for Analytics such as Google Analytics.
Cookies that do not meet one of the two specific use cases in the ePrivacy Regulations that make them exempt from the need to obtain consent must not be set or deployed on a user’s device before you obtain their consent.
The two exemptions are known as a) the communications exemption and b) the strictly necessary exemption. These can be identified as cookies that are required for the smooth functioning of your website or app. An good example of a necessary cookie would be shopping cart cookies to remember items in your basket.
More than likely…
If you use a cookie banner or pop-up, you must not use an interface that ‘nudges’ a user into accepting cookies over rejecting them. Therefore, if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or to one which allows them to manage cookies and brings them to another layer of information in order to allow them do that, by cookie type and purpose.
The user’s consent must be specific to each purpose for which you are processing their data, it must be freely given and unambiguous and it requires a clear, affirmative action on the part of the user. Silence or inaction by the user cannot constitute their consent to any processing of their data.
The DPC will allow a period of six months from the publication of this guidance (6 April 2020) for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.