Norton Rose Fulbright - Data Protection Report blog

Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”).  It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”).  The cookie sweep requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is clear the Report significantly influenced the Guidance and, as such, the Report provides an indication of the areas where the DPC seems likely to focus its enforcement efforts which is discussed below.

The DPC will allow a period of six months from the date of publication of the Guidance for data controllers to bring their websites and mobile apps into compliance, after which enforcement action will commence.

There are similarities between the Guidance and other guidance produced by EU data protection authorities and, in particular, the guidance produced last summer by the UK Information Commissioner’s Office (“ICO”). However, there are certain areas where the DPC is taking quite a unique stance which this blog will explore.

Here are the main take-aways:

  • Analytics cookies require consent.  This is the same approach taken by the ICO whereas regulators in France and Germany accept that certain analytics cookies may be exempt if certain requirements are met (i.e. some cookies are also allowed under a legitimate interest ground in Germany). And, in a similar tact as the ICO, the Guidance says “it is unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC”.
  • Implied consent is unacceptable. This means that language such as “By continuing to use this site, you agree to the use of cookies” is not permissible.  This is broadly the same approach taken by other European regulators, with the exception of the Spanish authority.  The Spanish authority suggests that implied consent (i.e. browse-wrap consent) can be valid consent on the basis that taking some positive action on a website, after having viewed a cookie banner, indicates consent, even if a user has not clicked ‘agree’.  The Report explicitly mentions the divergence in this area taken by Spain and makes clear that the DPC does not share this view.
  • Pre-checked boxes and sliders set to ‘on’ as default are non-compliant.  This is generally consistent with other European guidance and the Court of Justice of the European Union Planet 49 decision.
  • A cookie consent banner must not obscure the text of the privacy or cookie notice.  Users must always be able to read the cookies and privacy notices without any cookies being set (unless they are covered by an exemption).
  • Where a cookie is used to record consent to the use of cookies, users should be asked to reaffirm their consent no longer than six months after it was first requested.  The ICO has not indicated any such timeframe, but the DPC’s view is consistent with the French authority’s new draft guidance which also recommends refreshing cookie consent every 6 months.
  • Uniquely, the Guidance explains that a website operator must take accessibility into account in designing interfaces to accommodate people with vision impairments or colour blindness.  It says that while binary, colour-coded slides or buttons may purport to signify a YES and NO option they are not always accessible or self-explanatory to users who do not see colours the same way as other people.  The Guidance suggests testing the interface with users who have vision or reading impairments to make it as accessible as possible to all users.
  • Organisations have six months from the date of publication to bring their websites and mobile apps into compliance after which “enforcement action will commence”.  The French authority has given organisations a similar grace-period.  Most other regulators have expected organisations to comply immediately. German authorities have not given organisations a certain grace period, but enforcement is still limited even though the guidance is now over one year old.
  • Users should not be “nudged” into accepting cookies and should be given the opportunity to consent on a granular basis.  The Guidance says that if you use a button with an “accept” option then you must give equal prominence to a “reject” option or to one which allows them to manage cookies and brings them to a second layer in order to do that by cookie type and purpose.

This latter point is very interesting. It suggests that cookie mechanisms of Irish websites and apps do not necessarily need to have a “reject all” option on the first level of the consent mechanism, provided that users can give granular consent to each category of cookies on a second level and that the cookies are not set to “on” by default. This point is not directly addressed in the guidance from the ICO nor from the French or German authorities (who refer to the general GDPR requirements of transparency and freely given consent).

This aspect will likely be welcomed by big tech companies with their EU headquarters in Dublin as one would expect that an extra ‘click’ to a second layer would make users more inclined to “accept all” because it is the easier option.

  • Consent management providers (“CMPs”) must do what they purport to do.  The Report identified some serious short-comings in consent mechanisms provided by CMPs. It explained that some tools allowed the use of pre-checked boxes, set cookies even if the user un-checked the boxes and were badly designed and even deceptive in their approach.  The Report said that “such tools cannot work on a one-size-fits-all basis: they must be tailored specifically to the needs to each controller and they must do what they purport to do”.  It concluded that these issues “will be a priority for enforcement”.
  • Organisations must remember to conduct Data Protection Impact Assessments, particularly where data collected from cookies is combined with personal data from other sources.  The Report suggests that this may be an area where the DPC will focus its investigation efforts.  In the “main concerns” section of the Report, the DPC highlighted that it had found that a large retailer was combining data collected through cookies with other data is collected, such as in-store purchases and registered loyalty card data.  Later in the Report it said that “the use of inquiries (with or without investigation), inspections or audits to examine all aspects of a data controller’s processing activities…may be a particularly effective opinion should further action be considered necessary, for example, in relation to health-related websites or other sites where controllers link data from cookies to an explicit profile or identifier”.