Irish Data Protection Commission publishes updated cookie guidance and cookie sweep

The Guidance was published together with an accompanying report based on a cookie audit of 38 companies, many household names in Ireland, conducted by the DPC between August and December 2019 (the ‘Report’).

The results of the audit are not positive with the investigation finding the cookie compliance of 35 of the 38 companies to be significantly lacking on the transparency and consent front with the Commissioner concluding that such poor levels of compliance mean ordinary individuals are unaware of the extent and scale to which their activities are tracked online.

According to the Commissioner, the audit, while small in scale, is also indicative of Ireland’s more systematic non-compliance with the cookie rules which will be tackled by the Commissioner through the publication of the new Guidance followed by ‘possible’ enforcement where controllers fail to remediate.

The DPC is allowing controllers six months to bring their properties into compliance.

In what will be old news for most readers, the Guidance reminds controllers that consent for cookies under Article 5(3) of the e-Privacy Directive must meet the standard of consent under GDPR. Many of the requirements in the Guidance stem from this shift in consent standard - broadly aligning with guidelines from other Data Protection Authorities (‘DPAs) across Europe.

Headline points to note include:

Implied consent is dead: In the audit, about two thirds of the companies were relying on an implied consent model i.e. employing cookie banners that state ‘by continuing to browse this site you consent to the use of cookies’… (or similar)

In the Guidance, the DPC confirms that continuing to scroll through a website or clicking on a webpage in the ordinary course no longer constitutes unambiguous consent. In doing so, this aligns with the positions in updated cookie guidance in France, Germany and the UK but not, as the DPC acknowledges, with the guidance from the Spanish DPA which suggests there may still be a role for some form of implied consent in Spain.

No nudging: Controllers should not nudge users into taking less privacy friendly options. The ‘Accept Cookies’ button in the cookie banner should not, therefore, be emphasised over the option to ‘Manage Cookies’ or ‘Reject All’ buttons.

On this point, the DPC in allowing an option of a ‘Reject All’ or ‘Manage Cookies’ button is more permissive than ICO’s Updated Cookie Guidance which requires that there must always be a ‘Reject All’ button in the first layer of the banner. This leniency will be welcomed by controllers who heavily rely on targeted online advertising to fund their content, as a mandated ‘Reject All’ button in the first layer of a banner generally has a detrimental impact on cookie consent rates.

Accessibility: Controllers must take accessibility into account when designing interfaces. For example controllers should not use colour schemes that blend with the overall background of the site which can be difficult for users, particularly those with vision impairment, to navigate. The Commissioner recommends testing UXs with users who have vision or reading impairments to ensure that they are as accessible as possible.

Consent standard: Pre-ticked boxes which users must deselect to refuse consent, are, no surprises, non-compliant.

10 of the 38 controllers audited by the DPC were using pre-ticked boxes to obtain consent. There were also examples from the audit of pre-checked boxes, where the company failed to honor opt-outs when the user unchecked the box. These issues will ‘be a priority for enforcement’.

In addition, in the audit the majority of companies were bundling consent - i.e. taking an all or nothing approach to cookies - which is not permitted. Instead, controllers must get consent for each purpose for which cookies are used. This does not mean that consent needs to be obtained individually for each cookie, but instead for the purposes for which the cookie is set.

Strictly necessary exemption: While there is an exemption to consent for strictly necessary cookies to provide an online service requested by the user, the exemption is narrow (covering for example user input, load balancing and authentication session cookies). The audit suggests that misuse of the exemption ‘was extremely common’ with companies misunderstanding the scope of what the exemption covers or taking interpretations of the exemption ‘rather more expansive’ than the law provides for.

Analytic Cookies: One of the areas that highlights the current, unhelpful, divergence between European DPAs is the varying treatment of analytic cookies (i.e. cookies used to analyse how users navigate a website or app and how they engage with its content).
According to the DPC analytic cookies do require consent.

However, the Guidance goes on to quote the longstanding view of the Article 29 Working Party that ‘first party analytics cookies are unlikely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes…when used by websites that already provide clear information about such cookies in their privacy policies [and have] adequate privacy safeguards… [including] a user-friendly mechanism to opt-out.’

The Commissioner concurs that first party analytics cookies are potentially low risk and, therefore, are ‘unlikely [to be] a priority for enforcement action by the DPC’.

Here parallels can be drawn with ICO’s Updated Cookie Guidance which similarly suggests that analytic cookies may not be a regulatory priority - however, the DPC’s guidance is more definitive on the point.

Transparency obligations: Users must be provided with clear and comprehensive information about the use of cookies:

• Where cookie usage involves the processing of personal data, controllers will need to meet the transparency requirements under Articles 12-14 GDPR (as applicable). While there may be some overlap between the cookie policy and privacy policy it remains good practice to maintain both in order to facilitate the different layers of information that may be required under the ePrivacy Directive and GDPR.
  
  
• Banners that link to more information must link to easily ‘readable text that is undisrupted by chatbots or other features on the page’.
  
  
• Controllers need to list all third parties whose cookies or assets including ‘like’ buttons, plugins, pixels, beacons or audience measurement tools are deployed on their website.Companies fell short on this in the audit, with the majority failing to list trackers other than http cookies.
  
  
• Cookie uses must be clearly explained. The audit found that there was insufficient granularity in the explanation of the purposes of certain advertising cookies and the ways in which the user can modify their cookie choice.
  
  
• Where a controller has multiple websites there must be different privacy notices tailored to the specific activities of each site.

Retention: The lifespan of a cookie must be proportionate to its function - a session cookie with an indefinite retention period would, for example, be disproportionate.

The DPC, conservatively, considers six months to be the appropriate time limit for consent to be retained after which time the user must be prompted to give their consent again.

This is another area where pan-European divergence comes to the fore: with some DPAs like the UK and Germany not prescribing a specific retention period in their updated cookie guidance, with other jurisdictions such as France and Spain suggesting that consent should be renewed every 24/25 months respectively.

Consent Management Platforms (‘CMP’): In line with GDPR, it must be as easy for a user to withdraw their consent as it is to give it.
The DPC’s audit disclosed a lack of tools for users to effectively withdraw their consent, this included, in some cases, websites where a third party CMP was already in place.

A common misconception, echoed in the audit, is that if you use a third party CMP you must be automatically compliant - however out-of-the-box compliance should not be assumed - according to the Commissioner using ‘third-party tool[s] to manage cookie consents does not… guarantee the controller is compliant. As with privacy policies and cookie policies, such tools cannot work on a one-size-fits all basis: they must be tailored specifically to the needs of each controller and they must do what they purport to.’

Cookie Walls: Cookie walls, i.e. making access to a website conditional on consenting to cookies, is a controversial topic, on which there is divergent views amogst DPAs. The Guidance itself does not cover cookie walls but the Report suggests that the Commissioner does not consider cookie walls permissible ‘we are of the view that users should not suffer any detriment where they reject cookies or other tracking technologies other than to the degree that certain functionality on the websites may be impacted by the rejection.’

Subsequent processing of cookie data: The Guidance does not comment, in any significant detail, on the lawful basis for the subsequent processing of cookie data.

By way of comparison, ICO notes in its updated cookie guidance, that in most circumstances, legitimate interest will not be the appropriate lawful basis for the processing of cookie derived personal data which is used for direct marketing of profiling purposes. However, guidance from DPAs in France, Germany and Spain is either silent or more nuanced on the point.

It remains to be seen what position the DPC will adopt on this issue and whether it will follow ICO’s more conservative views on the lawful basis for Real Time Bidding. That clarity will likely come through investigations rather than guidance, given the number of high profile adtech related inquiries currently before the Commissioner.

Reviewing joint controller relationships: In line with the Court of Justice of the European Union’s judgment in Fashion ID, where controllers deploy ‘like’ buttons, plugins, widget, pixels or social media sharing tools, they must review the possible joint controller issues arising from the use of these third party assets and plugins.

A number of companies in the audit did not take Fashion ID into account in their responses or practices and some according to the Commissioner ‘appeared to be of the belief that they had no responsibility for any third-party cookies or tracking on their website’.

Special category data: The Commissioner is concerned that special category data, such as health data, is being unlawfully shared with advertising companies for the purposes of online targeting.

The Guidance reminds controllers the only likely legal basis for processing special category data derived from cookies is the explicit consent of the user. This is a high bar and ‘unlikely to be met by means of generic information in a cookie banner or privacy policy’.

While precise geolocation data is not special category data under Article 9 GDPR, it is recognised as a form of sensitive data given the intimate insights into a user’s life it can disclose, therefore, any cookies or tracking technologies that involve the processing of data on the precise location of a user require consent.

Worst in class: According to the Commissioner, in the audit, the worst sector in terms of compliance was the restaurant and food-ordering industry both ‘in terms of poor practices, and…poor understanding of the ePrivacy Regulations and their purposes’.

In its audit, the DPC suggests - at least in the case before it - that the relationship between food ordering platforms and restaurants is, in relation to the ordering system, likely one of joint control, i.e. even where restaurants sign over management of their website to the platform they remain joint controller of the websites with the food ordering platform. The DPC intends further engagement on the issue.

Accountability: Cookie usage often involves the systematic monitoring and tracking of user’s location or behaviour for profiling purposes including merging datasets for these purposes. The Guidance reminds controllers that in many cases a Data Protection Impact Assessment will be required. Where cookie usage involves the processing of personal data, this processing will also need to be recorded in the controller’s Record of Processing Activity.