GDRP gets tough on Cookies

GDPR and how it affects cookie policies

Cookies are mentioned only once in the EU General Data Protection Regulation(GDPR), but the repercussions are significant for any organisation that uses them to track users’ browsing activity.

Recital 30 of the GDPR states:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In short: when cookies can identify an individual via their device, it is considered personal data.

What it means

Not all cookies are used in a way that could identify users, but the majority are and are subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.

To become compliant, organisations need to either stop collecting the offending cookies or find a lawful ground to collect and process that data. Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it is much harder to obtain legal consent. 

Court of Justice of the European Union (CJEU )

On the 1st October 2019, the Court of Justice of the European Union (CJEU) has ruled that pre-checked consent boxes in cookie banners are not considered legally valid. Users must now provide active cookie consent before third-party or behavioral cookies are stored.

This requires companies to make adjustments to their website’s cookie banner if it currently has a pre-checked ‘tick-box’ that makes users click it to opt out.

dpc-logo-colour-v2Data Protection Commission

We checked with the Data Protection Commission what this recent ruling means within the Irish landscape, they gave a detailed advisory, which can be summarised as follows;

Cookies that are neither strictly necessary, nor for a service requested by a user will continue to require consent. For now, this includes standalone, first party or third party analytics cookies that are neither strictly necessary or requested by the user. Prior informed consent remains the only legal basis possible for interference with confidential communications data or terminal equipment.

Recommendation

Based on the information above, we recommend that a website has a cookie management tool installed on it.

The tool should set the types of cookies as follows;

  • Strictly Necessary – Always Active
  • Performance – Inactive
  • Functional  – Inactive
  • Targeting Cookies – Inactive

The user is then given pertinent information on the types of cookies on the site and offered the option to “ Accept cookies” or “ Manage Cookie Settings”

Accept cookies

When this action is taken, the tool will then turn on certain cookie types, at this juncture, we are saying this would be Performance, Functional and Targeting cookies.

 Manage Cookie Settings 

When this action is taken, the user is offered the ability to select with types of cookie they want to have active on the site ( with the exception of Strictly Necessary – with are always on )