An Increasing Regulatory Focus on Cookies: Time to Review Your Compliance?

The Irish Data Protection Commission (“DPC”) and the UK Information Commissioner’s Office (“ICO”) have both recently published revised guidance (here and here) on the use of cookies, in light of the General Data Protection Regulation (“GDPR”).   This clearly indicates an increasing regulatory focus on cookies compliance by operators of websites and is a warning sign that enforcement action in this area is likely, not least as the ICO has said this is a ‘regulatory priority’ for it and we understand the DPC is also looking closely at this area.  As such, it appears a good time to take stock of the current legal position and suggest some practical tips for further compliance.

In the Irish context, Regulation 5(3) of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the “ePrivacy Regulations”), together with the GDPR, sets out the cookies (and similar technologies) consent requirements.  Operators of websites are required to provide clear and comprehensive information on their use of cookies and to also seek express consent for all types of cookies, unless an exception applies. Regulation 5(3) of the ePrivacy Regulations also requires that ‘clear and comprehensive information’ must be provided which is ‘prominently displayed and easily accessible’ and must include information on the purposes of the cookies set.

There is an exception from this express consent requirement for any cookies which are set on the user’s equipment for the ‘sole purpose of carrying out the transmission’ or which are ‘strictly necessary in order to receive an information society service’ requested by the user (i.e. from the user’s and not the operator’s perspective).

The DPC’s stated position is that ‘[...] any ‘consent’ as required under the ePrivacy Regulations, will now be defined in the same way as in the GDPR’.  As the DPC goes on to explain, ‘[...] the standard of consent required by the GDPR is higher than under the previous law, and means that consent must be a clear, affirmative act, freely given, specific, informed, and unambiguous’.   As such, website users must be given a clear choice (e.g. through off/on switches on cookies banners) as to whether or not to accept any cookies which are not ‘strictly necessary’.  Implied consents, pre-ticked boxes or defaults to ‘on’ for non-essential cookies are no longer permitted.

In addition, under Regulation 5(4) of the ePrivacy Regulations, consent must be given (and the information provided) in a way that is as ‘user-friendly as possible’.  Use of user browser settings is expressly permitted, but has historically been discouraged in Ireland as the DPC, in previous guidance, stated that people are not sufficiently aware of the use of cookies, and the purpose for which they are used, to obtain valid consent via browser settings.

Significantly, the ICO’s guidance has stated its view that analytics cookies and first and third-party advertising cookies do not qualify for the ‘strictly necessary’ exemption and so user consent must be sought and cannot be implied.   The DPC’s guidance does not provide any detail on its position, but clearly the necessity of the setting by website operators of each cookie should now be more closely assessed.  Any application of a strict regulatory view here may have far-reaching implications for the adtech commercial model and the financing of website content in general. It can be safely assumed that, where given the choice and where these types of advertising cookies are not set by default, users are highly unlikely to ‘opt in’ to the setting of such cookies in great numbers.

Enforcement

Currently, the DPC has power under the ePrivacy Regulations to investigate and serve enforcement notices for breach of the cookies requirements of the ePrivacy Regulations.  This can require steps to be taken by the website operator to correct/rectify the breach, cease processing, erase data etc.  Failure to comply with Regulation 5(3) of the ePrivacy Regulations is not itself a criminal offence.  However, failure to comply with a DPC enforcement notice (without reasonable excuse) is a criminal offence, with the potential for a fine not exceeding €5,000.

While we are not aware of any precedent in Ireland for any prosecutions by the DPC arising as a result of breach of the existing cookies requirements, this position may well change as a result of the increased regulator focus on this area.

Separately, if a website operator’s privacy practices are not compliant with the GDPR, the DPC has available to it the full range of corrective powers provided for under the GDPR, including fines, to deal with any non-compliance.

Next steps

Although further changes to the rules on cookies are coming as a result of the upcoming e-Privacy Regulation at EU level, it would seem that regulators are minded to examine the area of cookies compliance ‘as things stand’ and are not intending to wait for any new rules or enforcement powers in this area.  As such, organisations setting cookies should review their practices in this area with a focus on obtaining any necessary express consents, as well as providing information on use of cookies, in a clear, transparent and user-friendly manner.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.