Are your Cookies & website tracking technologies compliant?
Business has until 5th October to voluntarily remedy any identified issues of non-compliance. Failure to voluntarily remedy any identified issues of non-compliance by 5th October may result in further enforcement action by DPC.
View a recent webinar with representatives from the DPC exploring their recent report and guidance note. They also set out very clearly what they expect to be in place by the 5 October 2020 deadline in respect of Cookies and apps and similar technologies and their enforcement strategy. Following on from their presentation Colm MacCarvill, from Squarespace shared some practical insights and advice on what controllers need to have in place by 5 October to ensure they are compliant.
Members are advised to familiarise themselves with the guidance and to speak to their website provider for more information.
Key takeaways from the DPC's guidance include the following:
- The rules set out in the guidance are applicable not only to cookies but also to other tracking technologies, including local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), ‘like’ buttons and social sharing tools, and device fingerprinting technologies.
- The general rule is that it is necessary to get consent in order to store or set cookies, regardless of whether the cookies or other tracking technologies actually contain personal data. The ePrivacy requirements apply when any information is stored on or accessed from the user's device. Additionally, where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and other tracking technologies that may be used to target or profile individuals, this constitute personal data and its processing is also subject to the rules set out in the GDPR.
- Reminder that the consent for the setting of cookies must be of the standard defined in the GDPR, Article 4(11), which requires that the ‘consent’ of the data subject be “freely given, specific, informed and unambiguous indication of the data subject’s wishes".
- There are two exemptions to the requirement to obtain consent:
- the 'communications exemption': cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example to identify the communication endpoints.
- The 'strictly necessary exemption': The exemption applies to an ‘information society service’ (i.e. a service delivered over the internet) explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide that service.
- Analytics cookies require consent, however the guidance states that it is "unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC".
- Wording in the cookie banner or notice which inform users that, by their continued use of the website – through either clicking, using or scrolling it - that their consent to set cookies is assumed, is not permissible. It is not possible to obtain consent by ‘implication’ to set cookies. Cookie banners that disappear when a user scrolls, without any further engagement by the user, are also not permissible.
- Pre-checked boxes and sliders do not comply with European law, as has been clarified in the Planet49 judgment issued in October 2019.
- Users of the website cannot be deemed to have consented simply because they are using a browser or other application which, by default, enables the collection and processing of their information.
- If cookies are used to track the location of a device or a user, this can only be done with the user’s consent.
- Accessibility should be taken into account in relation to the design of interfaces, for example colour schemes for cookie banners or sliders and checkboxes that blend into the overall background of a site may make a website harder to navigate, particularly for people with vision impairments or colour blindness.
- A website operator should consider its relationship with any third party whose assets deploy on the website. For example, where features such as ‘like’ buttons, plugins or widgets, pixel trackers or social media-sharing tools are deployed, the website operator should be aware of what data is being sent to third parties and that the website operator may be considered a controller in respect of any personal data collected and disclosed to those third parties. This position was set out by the Court of Justice of the European Union in the Fashion ID judgment case in July 2019.
- The lifespan of a cookie must be proportionate to its function. The DPC does not consider it proportionate to have a session cookie with a lifespan of ‘forever’, for example.
For further assistance on this and other GDPR issues please contact Emma Crowley, SFA Executive on 016051668 or email firstname.lastname@example.org.