New Guidance on Cookies and Tracking Technologies

Latest / 24 September

EU ePrivacy Directive

In April this year, The Data Protection Commission (DPC) issued a new Guidance note on cookies and other tracking technologies. It is to do with new legistlation called the EU ePrivacy Directive, that complements the General Data Protection Regulations (GDPR). Nail biting stuff!

Regulation 5 of the ePrivacy Regulations is the relevant legislation regulating the use of cookies. The deadline for updating your cookie notices is fast approaching, the DPC have given until October 6th 2020 to allow us to update our policies and notices to be in line with the new regulations.

What is the law on cookies and what is its purpose?

The ePrivacy Directive protects the privacy of the communications of individuals. The terminal equipment or device – such as computers and other devices, including mobile phones – of users of electronic communications networks (the internet to you and me) and any information stored on such equipment are part of the private sphere of users, requiring protection under international human rights instruments.

The purpose of the law on cookies is to protect individuals from having information placed on their devices, or accessed on their devices, without their consent, that may interfere with the confidentiality of their communications.

Consent

The ePrivacy Regulations require that you obtain consent in order to gain any access to information stored in the device of a subscriber or user, or to store any information on the person’s device. This means you must get consent to store or set cookies, regardless of whether the cookies or other tracking technologies you are using contain personal data.

The ‘consent’ of the data subject means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Exemptions

As a website owner, you are potentially using cookies for analytics purposes or for marketing, targeting or profiling purposes and you may choose to assign them to certain categories when you provide information for users on your website. Cookies that fall under these categories require consent. This includes cookies for Analytics such as Google Analytics.

Cookies that do not meet one of the two specific use cases in the ePrivacy Regulations that make them exempt from the need to obtain consent must not be set or deployed on a user’s device before you obtain their consent.

The two exemptions are known as a) the communications exemption and b) the strictly necessary exemption. These can be identified as cookies that are required for the smooth functioning of your website or app. An good example of a necessary cookie would be shopping cart cookies to remember items in your basket.

Withdrawal of consent

The user must be able to withdraw consent as easily as they gave. You should provide information in your cookies information about how users can signify and later withdraw their consent to the use of cookies, including by providing information on the action required for them to signal such a preference.

Do I need to update my Current Cookie Notice?

More than likely…

Most websites choose to implement a cookie banner or pop-up, which displays when a user lands on the website and which provides the first layer of information about the use of cookies and other tracking technologies. This banner or notice will also often contain a link to a cookies policy and a privacy policy which provide further, more detailed information.

If you use a cookie banner or pop-up, you must not use an interface that ‘nudges’ a user into accepting cookies over rejecting them. Therefore, if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or to one which allows them to manage cookies and brings them to another layer of information in order to allow them do that, by cookie type and purpose.

The user’s consent must be specific to each purpose for which you are processing their data, it must be freely given and unambiguous and it requires a clear, affirmative action on the part of the user. Silence or inaction by the user cannot constitute their consent to any processing of their data.

You must include a link or a means of accessing further information about your use of cookies and the third parties to whom data will be transferred when the user is prompted to accept the use of cookies.

Compliance

The DPC will allow a period of six months from the publication of this guidance (6 April 2020) for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

Get in touch with us if you want your Cookie Notice updated

Read more on the Guidance here (PDF)