The Return of the Cookie Monster?
In 2019, the Data Protection Commission (DPC) conducted a “cookie sweep” of a wide array of websites operating in Ireland.
Following that sweep, the DPC produced a report on its findings and published a comprehensive guidance note aimed at assisting website operators to ensure their use of cookies and other tracking technologies is compliant with data protection and ePrivacy law. We previously published on this here.
While we saw a sharp rise in cookie related queries over the course of 2020 and 2021 following the DPC’s indication that it would begin enforcing its guidance, interest in cookies appeared to have declined in 2022. However, following the adoption by the EDPB of the report prepared by the Cookie Banner Task Force in January 2023 in response to complaints from NOYB, and recent examinations by data protection supervisory authorities across Europe in relation to cookie policies and the use of cookies, it is advisable that organisations take this opportunity to reassess their cookie compliance.
Latest tips for cookie compliance
- Do not use pre-ticked boxes where consent to cookies is required – Pre-ticked boxes will not constitute valid consent under the GDPR or the ePrivacy Directive.
- Choose the cookie banner design carefully – Controllers must not use colour or contrast to influence user choice. While the assessment of the colour/contrast of a cookie banner will be on a case-by-case basis, any deceptive practices which encourage the user to select “Accept all cookies” over any other option are not acceptable. This includes making the “Reject” option much less prominent that the “Accept”. Additionally, the cookie banner must not obscure the privacy policy or cookie policy, which must always be readable, even without accepting cookies.
- Ensure “Essential” cookies are correctly categorised – As user consent is not required for the use of “Essential” or “Strictly Necessary” cookies, a controller must verify that the cookies it has designated as falling within that category are accurately categorised. The Cookie Banner Task Force report referred to certain tools which allow lists of cookies operating on a website to be compiled. These tools are being used by competent authorities when reviewing the use of cookies on websites.
- Inferred consent is not sufficient – It is generally not permissible to rely on a user’s browser settings for “deemed consent”.
- Users must be able to withdraw their consent to cookies – Controllers are reminded that accessible methods must be provided which allow users to withdraw their consent at any time and in a manner as easy as it was to give the consent. The Cookie Banner Task Force suggest that “a small hovering and permanently visible icon be used” or a “link be placed on a visible and standardized place”.
- Consider the appropriate lifespan of each cookie – Controllers should assess what the proportionate lifespan of each cookie is.
- Analytics cookies and consent – Consent is required for the use of analytics cookies, whether they are first party or third party cookies. However the DPC stated in its 2020 guidance note that “[i]t is unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC.”