Are Your Website or App Cookies Compliant with Data Protection Laws in Ireland?

Let’s get it out of the way and answer the question, what is a Cookie?

A cookie is a small text file that may be stored on your computer or mobile device that contains data related to a website you visit. It may allow a website to “remember” your actions or preferences over a period of time, or it may contain data related to the function or delivery of the site.

The Data Protection Commission has published a report in April 2020 setting out its findings of a survey it has carried out on websites in Ireland. It has found that there is a great deal of non-compliance by website owners/operators and the Data Protection Commission has published guidance in this regard.

Firstly, however, it is noteworthy that the DPC has granted a grace period of 6 months for websites to become compliant-that is, until 5th October 2020.  At that point the DPC will pursue offenders.

The two pieces of law you must be aware of when it comes to cookies are

  1. Statutory instrument 336 of 2011, the e-Privacy regulations and
  2. The General Data Protection Regulations (GDPR)

The Data Protection Commission Guidance

  1. Do your cookies require consent? If the cookies involve the processing of personal data, yes is the answer. If, however, the cookies are used for the sole purpose of carrying out the transmission of a communication or are necessary to provide the service requested by the user, the answer is no, the cookies may be exempt from the regulations
  2. Consent cannot be bundled together-that is, you require consent for each purpose for which you intend processing the user’s data
  3. Pre-checked boxes, implied consent, and passively accepted consent are unacceptable; the consent must be specific and clear
  4. The DPC recommends that the website’s privacy statement and cookies policy are maintained separately, even though there may be a good deal of duplication between the two
  5. Cookie banners must not hide the website privacy statement of cookie policy and allow users to get more information about the use of cookies on the site
  6. The user must be able to easily withdraw consent for the use of cookies
  7. Non-exempt cookies cannot be switched on automatically when a visitor arrives on the website

The DPC intends taking enforcement action once the grace period is over-that is, from 5th October 2020.

You can read the full guidance document, Guidance on Cookies and Similar Technologies: Full Guidance Note here.