From August to December of 2019, the Data Protection Commission (DPC) of Ireland collected information from a swath of popular Irish websites in order to document their use and deployment of cookies and tracking tools. Their goal was to determine whether or not the organizations were in compliance with existing Irish cookie and tracking tool guidelines, and whether users’ consent was obtained and taken into account as per the EU General Data Protection Regulation (GDPR).
The Cookie Sweep Findings
In April 2020, the Irish DPC issued its report detailing the findings of a “cookie sweep” of 38 popular websites in Ireland from a wide range of industries. These included media and publishing, retail organizations, restaurants and foodservice, insurance companies, sport and leisure companies, and the public sector. The cookie sweep monitored website controllers' compliance with the GDPR and the ePrivacy Directive of Ireland implemented by the ePrivacy Regulations (S.I. No. 336/2011). The sweep sought to determine exactly which types of cookies were placed on users’ browsing devices, whether the users’ GDPR-compliant consent was obtained in order to place those cookies, and whether controllers gave users enough information prior to placing those cookies on their devices.
The DPC found that overall, these major Irish websites were either uncertain of how to follow these cookie guidelines or completely ignoring them. Thus, the DPC determined that the most troublesome of these findings included:
- 26% of major Irish websites allowed pre-checked consent boxes to pass as consent for both marketing and analytics cookies.
- The majority of these websites had cookies automatically set on their landing pages. In many cases, these included cookies deemed “unnecessary” by the DPC.
- Respondents claimed the cookies they deployed automatically were “necessary” for their organizations.
- Many websites utilized poorly designed cookie banners that failed to offer users the ability to reject cookies or withdraw their consent.
- Many websites failed to offer users tools to withdraw their consent at later stages.
- The majority of websites bundled consent for multiple cookies and trackers without delineating individual cookies.
As a result of these findings, the DPC determined that more than half of the organizations studied were either ignorant of existing compliance rules or were aware of certain improvements they could make to demonstrate compliance. Only 2 of the 38 websites received a full “green” rating, meaning they were found to be in substantial compliance with the GDPR guidelines. The rest fell under the “amber” or “red” coding system, indicating minor compliance issues or extreme compliance issues.
New Cookie Guidelines
In order to protect users’ data in the future, the DPC has issued new guidance on cookies and trackers for Irish websites. These are designed to work as a starting point for organizations to assess their own compliance. Some of the key points of the new DPC Guidance include:
- Analytic cookies require consent. Cookies that measure the number of visitors to a website and the pages they visit on the website must acquire user consent before being placed on their devices. While first-party analytics cookies are unlikely to create privacy risks, third-party analytics cookies which collect information for their own purposes represent a far higher privacy risk to users.
- Pre-checked consent boxes are non-compliant with GDPR regulations. In order to be consistent with European Union GDPR guidelines, websites cannot use pre-checked boxes on their landing pages or app home pages for non-necessary cookies and tracking technologies. Plus, cookie banners or pop-ups cannot “nudge” users into accepting cookies over rejecting them. In other words, the “Accept” button cannot be designed in such a way as to be more appealing or more prominent than the “Reject” button.
- Third-Party Cookies must be examined thoroughly. The DPC has provided guidelines for organizations to examine the role of Third-Party Cookies on their websites. In particular, they must ensure they follow data processing agreements that reflect the actual facts of how they process user data.
- The implied consent approach is non-compliant. Website owners can no longer simply rely on “implied consent” and assume that users visiting and interacting with their platforms are inherently agreeing to allow cookies and trackers on their devices. Instead, websites must clearly obtain consent from users as soon as they access the site.
- Websites must request periodic renewal of consent. Any website controller who maintains a record of user consent must re-obtain consent after an appropriate length of time no longer than six months after they initially obtained consent. Users who previously declined to give consent must also be given the opportunity to approve or reject cookies again at this time. Websites that block access to content until users provide consent are also considered non-compliant because they do not present users with a genuine choice.
- Implementing a Cookie Banner must adhere to certain guidelines:
- Buttons that allow users to “accept” or “reject” cookies must have equal prominence and not be seen as shaming or punishing users for rejecting cookies.
- Banners must provide an option for users to request a more detailed breakdown of how cookies and trackers will operate and how they can manage their own cookie settings.
- Users must have the ability to change their cookie preferences at any time, including withdrawing their consent.
If you would like to avoid fines and other complications as a result of non-compliance with the GDPR and DPC data protection guidelines, CookieScript provides an automated compliance solution you can integrate within your website. Once you enable CookieScript, you can rest assured your domain is fully compliant, no matter if your website is hosted by WordPress, Wix, Shopify, Squarespace, or any other major hosting platform.