Website Data Protection ‘Cookie’ Compliance (part 2)
In part one of this blog we looked at the law in relation to cookies, which admittedly is not very clear, but has been clarified by EU case law and recent guidance from the Data Protection Commission (DPC).
All cookies other than two exceptions need consent from the user and that informed consent must be:
1. an affirmative unambiguous action (no pre-checked boxes) and
2. for a specific purpose only and
3. after the user has been informed what the cookie or cookies are for.
The only two exceptions that do not require consent, they are the communication exception and the necessary exception.
The ‘communications’ exemption
This applies to cookies whose sole purpose is for carrying out the transmission of a communication over a network, for example to identify the communication endpoints (allowing individuals to connect to a central network) or ensuring the data packets are received in the right order.
The ‘Strictly necessary’ exemption
This applies to the functionality of the website, it must be strictly necessary for the user to interact with the site and not the other way around. Examples of cookies that fall into this category are cookies that allows for the user’s language preference to be recorded or if they were shopping, a session cookie that records their purchases and expires after they have left the site.
To reiterate, all other cookies require the informed consent set out above, these include any marketing, targeting, and analytics cookies, especially third-party cookies, as these are considered by the DPC to pose a greater privacy risk to the user. This also includes chatbots and social plugins, such as Facebook’s ‘like’ button.
So what should you do to insure that your website is compliant and the DPC will not come calling in 6 months’ time?
Fortunately, the DPC has given further guidance in this area, what they suggest is a graded approach to your cookie banners, prior to the user entering the site. The user can either accept all cookies with an affirmative click or look at the cookie settings, which should be equally prominent. If they click the settings button, they should be informed what cookies are on the site, what their purpose is for and have an option to not accept unnecessary cookies, but still advance to the site.
Shown below are two examples of a bad cookie banner and a good cookie banner, that should appear as soon as the user arrives at your site.
As you can see from the bad example, Consent may not be bundled, i.e. an “all or nothing” approach to accepting or rejecting cookies.
This is an example of a good cookie banner:
In order for the ‘good’ cookie banner to be a ‘great’ cookie banner, it would have to highlight the cookie settings in the nice gold box, the same as it has the accept button.
It is also important for your cookie and privacy policies to be up to date, actually reflecting your website and be accessible without the user having to accept the cookie settings first.
Finally, the user must be able to withdraw or vary their consent for the use of cookies at any time.
Conclusion
The good news is that website owners have been given a six-month window by the DPC to get their house in order and they have given extensive guidance, with examples, to dispel any current misconceptions that you might have. We would suggest that you or whoever manages your website needs to urgently study both the report and the cookie guidance notes published by the DPC, links to both below.
The bad news is after the six months is up website owners could face the very real consequences of large fines and the adverse publicity arising for not respecting users privacy.
This is not legal advice, you should always consult your lawyer.