Generally speaking, no. Only cookies which satisfy either the “strictly necessary” exemption or the communications exemption (set out in further detail below) may be placed without consent.
In Ireland, the ePrivacy Regulations (S.I. 336/2011) transpose the European ePrivacy Directive. The standard of consent required under the ePrivacy Regulations is that set out in the GDPR.
Yes.
Cookie compliance is a “hot” regulatory topic for the Irish Data Protection Commission (the “DPC”) in recent years, with the DPC carrying out an audit on the use of cookies and producing separate guidance in 2020 so cookie rules should be followed carefully.
More recently, there has been an increased level of direct enforcement activity in this area with the DPC undertaking more formal action through statutory inquiries into cookie compliance, on foot of privacy activist complaints made against organisations with an Irish presence.
For the purposes of this outline of the cookie rules in Ireland below, we refer in particular to:
Yes. There are two exemptions known as a) the communications exemption and b) the strictly necessary exemption. The DPC takes a very strict position on these two exemptions to the general rule requiring consent set out in S.I.336/2011.
The communications exemption applies to cookies the sole purpose of which is for carrying out the transmission of a communication over a network, e.g., to identify the communication endpoints.
For the strictly necessary exemption a cookie must simultaneously pass two tests. It applies only to ‘information society services’ (ISS) – i.e., a service delivered over the internet, such as a website or an app. In addition to this, that service must have been explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service. For more information on exemptions see the DPC’s Guidance here. The strictly necessary exemption is very narrowly applied by the DPC and in the case of any complaint about a cookie, the DPC will interrogate whether the cookie is in fact strictly necessary to the delivery of the ISS. The DPC Cookie Report, available here, and the DPC’s Guidance provide various examples of which cookies do and do not meet this threshold.
The DPC’s Guidance states that generally speaking, cookies which are strictly necessary/exempt should expire at the end of each session.
Other than where the communications exemption (detailed above) applies, only strictly necessary cookies can be placed without consent, subject to those cookies which fulfil the requirements of the exemption, as set out above. All other non-exempt cookies require GDPR-grade consent, as set out below.
No.
Consent must be clearly and actively given (i.e., the user must opt-in). Silence, inaction or a user just continuing to use the app will not constitute valid consent (i.e., the standard of consent is that of the GDPR). Consent must not be set or deployed on a user’s device before that user’s consent is obtained.
Under applicable Irish rules, the user’s consent must also be specific to each purpose for which the cookie is deployed. This is because under the Irish rules, it is the purpose which is more important than the description given to the cookies and as such, each purpose should be identified in the applicable cookie policy so that this separate consent may be lawfully collected for each such purpose.
At the point of consent being collected, the organisation placing the cookie must also include a link or a means of accessing further information about its use of cookies (and the third parties to whom any data will be transferred) when the user is prompted to accept the use of cookies.
Separately, the DPC’s Guidance states in respect of the collection of consent from the user that the user should be asked to reaffirm their consent no longer than six months after the consent has been collected, otherwise the organisation placing the cookie must be able to objectively and, on a case-by-case basis, justify storage of the user’s consent for any period longer than this.
The user must also be able to withdraw consent as easily as they give it. Information should be provided clearly about how users can signify and later withdraw their consent, including by providing information on the action required for them to signal such a preference.
No.
You should provide more detailed information about cookies in a privacy or cookie policy accessed through a link within the consent mechanism (see next question) and at the top or bottom of your website.
While there is no requirement under Irish law relating to cookies that there be a set and separate cookie notice and neither does the DPC impose a strict requirement in its guidance, the DPC does nonetheless indicate that notwithstanding the possibility of a duplication of information between a more general privacy policy and a cookie policy, it is good practice to maintain both.
The Irish law on cookies requires that the user be provided with “clear and comprehensive information” about the use of cookies in accordance with data protection law. While “clear and comprehensive” is not defined, the standard required must be that set out in the data protection legislation, i.e., the GDPR and the Irish Data Protection Act 2018.
According to the DPC’s Guidance, the privacy policy and/ or cookie policy must also be visible and available to the user without them having to consent to cookies or dismiss a cookie banner; moreover, where a link to a cookie policy is presented in pop-up/ banner, the text of the policy must not be obscured by the banner/ pop-up and must be easily readable/ not disrupted by chatbots or other features on the page.
The DPC’s Guidance also requires that all information to which users are entitled to under Articles 12- 14 of the GDPR in relation to transparency, including information about any other parties which are processing their personal data should be provided (to the extent that that processing, at the point after which cookies have been set, involves personal data).
Insofar as third-party cookies are placed, the DPC’s Guidance is that information must be provided in relation to third parties who will process information collected when those cookies are deployed. Wording should therefore be inserted to indicate this will happen and who the third-party who will receive the information is in the case of each third-party cookie.
N.B. if children are likely to access your site, you also need to ensure you comply with the DPC’s Fundamentals for a Child-Oriented Approach to Data Processing when positioning and writing your notices, available here. Note that the DPC requires that any user interface seeking consent for the use of cookies should comply with all requirements of the GDPR, including where the product or service is targeted at children, be easy to understand and it must also provide clear and comprehensible information written in a child-friendly way to explain what cookies do and how the information obtained through the use of cookies will be used, and by what other organisations. In any event, the use of cookies by organisations should comply with the principles concerning the profiling of children for advertising/ marketing purposes which are set out in the Fundamentals.
No. Note that the DPC does not indicate a preference between a cookie pop-up or a cookie banner. On the issue of the repetitive display of a cookie banner/ pop-up the DPC does not impose any particular requirements but in relation to the possibility of “consent fatigue” among users faced with having to choose their settings on each visit to a website, it has acknowledged in its Report that there is a balance to be struck between the provision of adequate information for users and a design that is minimally obtrusive to the user experience. As there is no explicit requirement imposed in the DPC’s Guidance that a “reject all” button be applied to a cookie banner/ pop-up alongside an accept button and, it is on the basis of that guidance, it previously seemed to be permissible to either allow the user to reject non-necessary cookies or to manage cookies by bringing them to another layer of information in order to do this by cookie type and purpose.
However, given the increase in privacy activist cookie complaint campaigns (where those complaints view the absence of a “reject all” option in the first layer of the banner as non-compliance), pending a definitive regulatory position on this being taken by the DPC or the EDPB, there is uncertainty as to whether a “reject all” button is required in the first layer. As such, there is a risk that the absence of any “reject all” option in a cookie banner’s first layer could attract complaints and therefore targeted regulatory enforcement action on foot of such a complaint.
However, in any event, it is important to note that the DPC’s position is that you must not use an interface that ‘nudges’ a user into accepting cookies over rejecting them. Silence or inaction by the user cannot constitute their consent to any processing of their data. You must include a link or a means of accessing further information about your use of cookies and the third parties to whom data will be transferred when the user is prompted to accept the use of cookies. Cookie banners must not obscure the text or your privacy policy or cookie policy. However, if you choose to manage user consent, your user interface must meet the requirement that information be clear and comprehensive. Moreover, consent must not be “bundled” for multiple purposes. The DPC recommends that as a matter of good practice, you should outline in a first layer of communication on your site or mobile app that you are requesting consent for the use of cookies for specific purposes. A second layer of information may then be used to provide more detailed information about the types of cookies or other technologies in use, with options for the user to opt in or to accept these cookies. It is not permitted to use pre-checked boxes, sliders or other tools set to ‘ON’ by default to signal a user’s consent to the setting or use of cookies. In the Guidance, the DPC suggests as a practical solution the use of an easy tool such as a “radio button” which could be implemented and which allows users to control which cookies are set and to allow them to vary their consent at any time. In any event, a mechanism for easy withdrawal of consent to cookies (after initial provision of consent) should be built into the website. If consent can be given with just one click on a cookie mechanism (i.e., banner/ pop up) then essentially the mechanism to withdraw consent should also be just a click away e.g., accessible on each webpage (because withdrawal of consent should be as easy as giving it).
Generally, no, given the DPC’s approach as set out in its Report on cookies.
Whilst the DPC’s Guidance does not specifically cover cookie walls, the accompanying Report suggests that it does not consider cookie walls permissible, noting “we are of the view that users should not suffer any detriment where they reject cookies or other tracking technologies other than to the degree that certain functionality on the websites may be impacted by the rejection”.
The DPC’s Guidance emphasises that users must be provided with a genuine free choice in relation to their use of cookies. To exercise that choice freely, users must be able to consent to the use of cookies which, as noted above, must be GDPR-grade, i.e., amongst other things prior, affirmative and freely given. According to the DPC, neither should consent be bundled up as a condition of the service unless it is necessary for that service.
Practically speaking, a cookie wall will generally be incompatible with this level of consent as arguably it will cause the user to suffer “detriment” (as referred to the DPC) should they reject cookies, as they will be prevented from using the website as they otherwise might have. In those circumstances, and while the DPC does not explicitly prohibit the use of cookie walls, it seems unlikely that the use of cookie walls could ever be compatible with the DPC’s current application of the Irish cookie rules.
Yes. There has been a general increase in the number of cookie-related complaints to the DPC in recent years, particularly given the “sweep” conducted by the DPC during late 2019, on foot of which the Report was published in April 2020. Following publication of the Report and Guidance, the DPC stated that it would allow a period of six months from the publication (April 2020) for organisations to bring their products, including websites and mobile apps, into compliance, after which enforcement would commence.
The Report states that issues such as non-exempt cookies set by default to “on” (with the choice of the user to reject these cookies by means of unchecking the box not respected) will be a priority for enforcement. The DPC also indicated that failure to voluntarily make changes to user interfaces and/ or their processing will result in enforcement action to bring such organisations into compliance. By contrast, it notes that first-party analytics cookies are considered potentially low risk and as such are unlikely to be a priority for formal action by the DPC.
As noted above, there has been an increased level of direct enforcement activity in this area with the DPC recently undertaking more formal action through statutory inquiries into cookie compliance, on foot of privacy activist complaints made against organisations with an Irish presence.
None that we are aware of at national level; however, please note that public consultation on the European Data Protection Board’s draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive closed on 18 January 2024 and so we expect these Guidelines to be finalised in the coming months. It is possible that in any update that the DPC may make to its guidelines that it will have regard to these finalised Guidelines, as well as in any enforcement actions/ approach going forward.
See above.
