Why are people talking about reviewing their cookies/tracking technologies and needing to update their websites and apps?
The Data Protection Commissioner recently issued guidance on cookies and other tracking technologies for businesses in Ireland.
Businesses need to review how they are obtaining consent to ensure that they follow best practice and are in compliance with the guidance and the law. The ePrivacy Regulations apply. GDPR sets the consent threshold and it will also apply if personal data is involved.
The regulator has set a deadline of 5 October 2020 to get compliant for your website or app or internet of things device. Thereafter the regulator may take enforcement action if you are in breach.
So you need to look at the cookies, pixels, chatbots and tracking technologies that you use and how you obtain users consent.
What is a cookie?
Cookies are small text files stored on a device and may have personal or non-personal data.
What do we need to do to comply?
The default position is that you need the user to consent to you using cookies and other tracking technologies.
You need consent for the storage of information on a device and to get access to information stored on a device.
I have a pop up banner that says that by continuing to use the website you are consenting to the use of website. Is this compliant?
Unfortunately not, you need to get a positive indication of agreement.
Silence or inactivity is not consent.
Can I say that the user should change their browser settings if they do not want my cookies or that if they are using browser setting that are set by default to permit cookies that I can rely on that?
Generally this is not compliant as it is not consent. Only in very limited circumstance would this be consent.
Any exceptions to obtaining consent?
Yes for strictly necessary cookies but these are very limited.
You do not need consent to use a
- Cookie whose sole purpose is transmission of communication over an electronic communication network .(but using a cookie to assist, speed up or regulate transmission is NOT exempt); or
- Cookie strictly necessary to provide an information society service explicitly requested (i.e. a service delivered over the internet explicitly requested by the user). Examples may include to place products in online shopping basket or record language or country preference.
Anything helpful is not strictly necessary and requires consent.
Requirements – what do we need to have in place to be compliant?
- A facility to obtain and withdraw consent
- Evidence of consent of user.
- Have a facility to prompt for consent again after 6 months if capturing consent using consent management providers system.
Anything else you should be aware of ?
- You cannot use an interface that “nudges” a user to “accept” over “reject”.
- Options need equal prominence. For example have “ACCEPT” or “REJECT” or “ACCEPT” or “Further information” and then access to information on the cookies and to consent or reject cookies and tracking technologies.
- Do not have pre-checked boxes, sliders or tools set “ON” by default.
- You cannot bundle consent with other consents or with the terms and conditions for contracts
Michelle McLoughlin Solicitor