06 Nov 2019 | 11.04 am
Data Protection Commission Undertakes Cookies Sweep
Alert for website owners from Robert Haniver at LK Shields
06 Nov 2019 | 11.04 am
The Special Investigations Unit of the Data Protection Commission has been contacting website operators in Ireland to request their participation in a cookies sweep survey.
The purpose of this sweep is to obtain information which will enable the DPC to review levels of compliance with Irish privacy and data protection laws when deploying cookies and similar technologies on or through websites and apps.
It’s understood these sweep surveys are grounded on Article 31 of the GDPR, which requires controllers and processors to cooperate with the DPC, if requested, in respect of the performance of its statutory tasks.
Participation is not optional. A refusal to participate could result in enforcement measures.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, or ePrivacy Regulations, gives effect in Ireland to EU Directive 2002/58/EC.
Generally, user consent is required before setting non-essential cookies and similar technologies used to store or gain access to information on a user’s device. Users must be provided with easily accessible, ‘clear and comprehensive’ information on the technology being used and its purpose.
The EU Court’s recent ruling (Case C‑673/17) in Planet49 provides that the standard of consent that must be obtained from users in order to comply with the ePrivacy Regulations is based on the definition of, and the conditions for, valid consent under Articles 4(11) and 7 of the GDPR (i.e. a clear, affirmative act, freely given, specific, informed, and unambiguous), even if the activity does not involve processing personal data.
Recital 32 of the GDPR prohibits already ticked boxes and provides that silence or inactivity does not constitute valid consent. The CJEU’s ruling in Planet49 confirms this in respect of obtaining valid consent for cookies — an active action by the user is required to signify their consent.
Consent is not required if the cookie or other technology is:
- used for the sole purpose of carrying out the transmission of a communication; or
- ‘strictly necessary’ in order to provide an online service explicitly required by the user (e.g. essential cookies used to remember the contents of a user’s online shopping basket; or to comply with security obligations mandated by law).
- Details of all cookies and similar technologies currently used, including their names, functions, security, origin and duration, whether first-party or third-party, whether essential or optional and the methodology used to determine whether a cookie is essential or optional.
- Information demonstrating how users’ consent is obtained before the deployment of cookies and similar technologies, and how this consent meets the GDPR’s requirements for valid consent.
- The reason(s) for any non-compliance with the ePrivacy Regulations on the part of the participant, the steps taken and the expected time line for rectification of any non-compliance.
Why this cookies sweep?
Cookies sweeps are not a new initiative. The European Data Protection Board (EDPB), under its previous guise of the Article 29 Working Party, coordinated a cookies sweep of 478 websites across eight EU member states in 2014. This sweep was carried out before the higher standards for consent were introduced by the GDPR. Ireland did not take part.
The DPC’s cookies sweep is not unexpected. Though there is no mention of the sweep on its website, DPC representatives have previously indicated that cookie-based transparency and consent is on its agenda for the second half of 2019.
Cookies consent is topical across Europe. For example, on October 1, the CJEU provided its judgment in the Planet49 case concerning cookie-based transparency and consent. Whilst the CJEU’s judgment deals with consent under the ePrivacy Directive, its judgment indicates that inferred consent from passive activities (e.g. continued browsing of a website) may not be valid. This view is supported by recent guidance issued by data protection authorities in France, Germany and the UK.
What should organisations do?
Audit: Conduct a review, and prepare an inventory, of all cookies and similar technologies currently used by your websites and apps. Establish whether appropriate arrangements are in place for the use of any third-party cookies, including what information is shared with any third party, how it is shared, and how users are informed of this. If you identify any cookies that are no longer needed, you should consider removing them.
Consent: Consider how users currently provide their consent to non-essential cookies, and whether the consent obtained meets the GDPR’s requirements.
+ Robert Haniver is a member of the intellectual property, technology and data privacy team at LK Shields Solicitors