WHICH LOCAL LAW IMPLEMENTS THE EPRIVACY DIRECTIVE?
S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (2011 Regulations).
IS THERE ANY REGULATORY GUIDANCE ISSUED TO SPECIFICALLY ADDRESS COOKIES?
CAN A USER PROVIDE CONSENT TO COOKIES VIA WEB BROWSER SETTINGS?
ARE COOKIE WALLS ALLOWED?
No – cookie banners cannot indirectly force a user to accept cookies in order to enter the site. There must be granular, opt-in consent for each purpose for which cookies are used.
CAN CONSENT BE IMPLICIT, (I.E. THROUGH USE OF WEBSITE)?
TRANSPARENCY AND RETENTION
ARE THERE SPECIFIC RULES OR GUIDANCE FOR COOKIE BANNERS?
Consents cannot be bundled – consent must be gained for each purpose for which a cookie is used. Organisations should adopt a layered approach to gaining and explaining consent to users. This may be achieved by a cookie banner; however, the guidance notes that the banner must not indirectly force a user to accept all cookies: a reject option should also be clear if such an accept option is available on the banner.
ARE THERE ANY SPECIFIC RETENTION PERIODS FOR DATA HELD BY COOKIES?
Yes. The DPC indicates that six months is the longest period for storing user consent for cookies, and recommends that users have a readily available tool on the relevant website allowing them to regularly amend cookie consents.
DO ANY COOKIE RULES OR GUIDANCE APPLY DIFFERENTLY FOR FIRST-PARTY AND THIRD-PARTY COOKIES?
Yes. The DPC reminds organisations to consider all relationships with third parties who they may interact with. This could be through plugins, widgets, or social media sharing tools, for example. Organisations should know what personal data is being shared with third parties via cookies (or other means), and where controller-controller or controller-processor relationships may exist.
IS THERE ANY REGULATORY STRATEGY ON THE ENFORCEMENT OF COOKIE RULES?
HAVE THERE BEEN ANY FINES ISSUED FOR NON-COMPLIANCE OF COOKIE RULES?
HAVE THERE BEEN ANY COURT CASES ADDRESSING COOKIE COMPLIANCE?
The DPC emphasises that it is irrelevant whether personal data exists within the information access or stored in cookies. The guidance notes that the ePrivacy Regulations apply to information stored or access on such equipment, irrespective of whether the information includes personal data. Personal data may not always exist in cookies; however, when it does, GDPR obligations apply in addition. Examples of relevant GDPR considerations given by the DPC include transparency requirements, Article 28 contracts where appropriate and ensuring relevant processing is recorded in an Article 30 Records of Processing Activities (RoPA).
Consent is required for Analytics cookies. The DPC does indicate, however, that when carrying out enforcement action on cookie compliance, it is unlikely that first-party analytics will be an immediate priority for the DPC.
Originally published 27 November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.