Earlier this year, the Irish Data Protection Commission (“DPC”), which is responsible for enforcing GDPR compliance in Ireland, published a report regarding how websites across a range of industries are using cookies and tracking technologies, as well as new guidance regarding what’s required to comply with GDPR from a cookie consent perspective. If you’re collecting data from Irish residents, you should review your cookie compliance protocols to ensure you’re not running afoul of GDPR.
What Prompted This Action?
Between August and December 2019, the DPC sent questionnaires to a number of popular websites in Ireland in an effort to examine how cookies and tracking technologies are deployed, and to determine whether organizations are:
1) Complying with the current Irish cookie law rules; and
2) Obtaining users’ consent for non-necessary cookies or tracking technologies in line with the requirements of GDPR.
What Did The DPC Find?
· Non-essential cookies are running without consent on landing pages: On almost all the websites examined, non-necessary cookies were running prior to obtaining the required explicit consent from a website visitor
· Pre-checked consent boxes: 26% of the responding organizations presented pre-checked boxes to signal consent to cookies, including to marketing and analytics cookies
· Implied consent: Two-thirds of the organizations stated that they were relying on implied consent through “scrolling” or telling the user to control cookies through browser settings
· Misclassification of cookies as “necessary”: Many organizations miscategorized what are analytic or marketing cookies as either “necessary” or “strictly necessary”
· Bundling of consent for all purposes: For most organizations, consent was “bundled”, meaning users were unable to provide consent to particular purposes for which cookies were being used.
· No visible functionality to change cookie settings: Most websites did not offer tools for users to vary or withdraw cookie choices at a later stage, despite the deployment of third-party vendors’ CMPs by some organizations.
Nearly half of the organizations who responded admitted that they were either aware they weren’t compliant with the existing rules or that they were trying to implement changes to achieve compliance. However, the DPC made clear that given some of the response provided “that even the changes proposed by controllers may not serve to bring them into full compliance.”
How Did The DPC Respond?
After picking their jaws up off of the floor from seeing how rampant noncompliance was among respondents, the DPC issued guidance regarding how companies can deploy a compliant cookie consent protocol.
Key takeaways from the DPC’s new cookie guidance include:
· Organizations must ensure that non-essential cookies (e.g. social sharing tools or pixel trackers) are not set to automatically run on the landing page of their site or app;
· Obtaining users’ consent by implementing a cookie banner or pop-up is acceptable, provided that:
· the cookie banner or pop-up is not designed in a way that “nudges” a user into accepting cookies over rejecting them. In practice, if there is an “accept” button on the banner, the banner must give equal prominence to a “reject” button, or to an option which brings users to a second layer of information and allows them to manage their cookie settings; and
· this second layer of information must provide more detailed information about the types and purposes of cookies or other technologies being set, and the third parties who will process information collected when those cookies and similar technologies are deployed. It also must provide users with options to accept or reject such cookies/similar technologies by cookie type and purpose, e.g., via checkboxes that must not be pre-checked, or sliders that must not be set to “on” by default;
· Users must also be able to change their cookie preferences at any time;
· Any record of consent must be backed up by demonstrable organizational and technical measures that ensure a user’s expression of consent (or withdrawal) can be effectively acted on; and
· Analytics cookies, targeting cookies and marketing cookies require users’ prior consent.
The DPC made it clear that they expect organizations to comply with the current cookie law rules. After issuing the guidance in April 2020, organizations had a six-month grace period to get in compliance with the DPC’s new cookie guidance, which expires on October 5, 2020. Starting October 6, 2020 the DPC may take action to enforce the guidance.
Are Companies Paying Attention?
While it’s unclear how multinational businesses outside of Ireland are responding to the DPC’s guidance, a recent survey by Dmac Media has revealed that 87% of Irish businesses are not aware of the looming cut-off date. Additionally, nearly six months after the DPC issued their guidance, Dmac Media’s survey revealed:
1) 72% of companies don’t know if their website is compliant and 13% admitted that their website was not up to date;
2) 15% of respondents said they were fully compliant, however on investigation Dmac Media found that just 1% were actually "compliant in a meaningful way’ with the legislation
3) 66% of Irish business owners know what a cookie actually is, with nearly a third of respondents admitting that they are unaware of what a cookie is and how it works.
Dmac Media’s survey is eye-opening for a number of reasons, not least of which is the significant penalties that the DPC can impose on noncompliant companies. Given that the compliance deadline is fast approaching, companies within Ireland and those outside that collect data from Irish residents need to implement a compliant framework, and fast.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to comply with GDPR, CCPA and other laws as they come online. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.