You need consent for the storage of information on a device and to get access to information stored on a device.
Cookies are small text files stored on a device and may have personal or non-personal data.
First party cookies are set by you on your website or app.
Third party cookies are set by another for example advertising or social media cookies.
Lifespan of cookie must be proportionate to its function. The expiry date needs to be proportionate to the purpose.
A cookie banner is not compliant if it only has “accept”, “okay got it” or “I understand” and no other options.
My take on what you need to do in Ireland based on the guidance issued by the Irish Data Protection Commissioner.
What do you need to do?
Obtain consent from users for cookies and provide them with clear and comprehensive information.
The information must be prominently displayed, be easily accessible and must include the purposes of the processing of the information from the cookies.
Requirements – what you need to have in place:
• Cookie policy – clear and comprehensive information on cookies, purpose, duration and third parties that information is shared with
• Privacy policy to comply with GDPR
• User needs to be able to read cookie policy and privacy policy without cookies being set
• Facility to obtain and withdraw consent
• Evidence of consent of user – i.e. that the user engaged with the information on cookies and gave unambiguous consent to the setting of cookies after they were aware of the purposes of the processing.
• Add cookie processing into your Article 30 record of processing activities
• Have a facility to prompt for consent again after 6 months
Consent
Except for two exceptions you need user consent to set or store cookies irrespective of whether they contain any personal information.
You need consent for every purpose for which a cookie is used (not each individual cookie) and obtain the consent for each purpose separately.
Location tracking requires consent.
Analytics cookies require consent as they are not strictly necessary.
Device fingerprinting requires consent.
A chatbot cookie cannot be deployed until the person explicitly requests to use of the chatbot.
Record of consent must be backed up by demonstrable organisational and technical measures.
Special category data requires explicit consent so it will need something more than generic information in a banner or policy.
Consent must be freely given, specific, informed, unambiguous with clear affirmative action.
There must be a link to further information on use and third parties to whom data is to transferred when prompting to accept the use of cookies.
Any exceptions?
Yes there are two exceptions:
1. Cookie the sole purpose is the transmission of communication over an electronic communication network (note using a cookie to assist, speed up or regulate transmission is NOT exempt); or
2. Cookie strictly necessary to provide an information society service explicitly requested (a service delivered over the internet explicitly requested by the user). Examples could include cookies to place products in an online shopping basket or to record language or country preference.
Anything helpful is not strictly necessary and requires consent.
What is consent?
Silence or inaction is not consent.
A banner that pops up and then disappears when a user scrolls or clicks on the website is not compliant.
No consent by implication to set cookies e.g. “continued use of the website” will not be consent. Cannot assume consent. Scrolling or clicking on website or app is not consent.
Consent may not be bundled for multiple purposes.
Can provide layers of communication.
Need option to opt in or accept
Generally you cannot rely on a user’s browser settings to infer consent.
Cannot use an interface that “nudges” a user to accept over reject. Options need equal prominence.
No pre checked boxes, sliders or tools set “ON” by default.
Cannot bundle consent with other consents or with the terms and conditions for contracts.
Withdrawing consent
Withdrawal of consent must be as easy as providing consent. Information on withdrawal must be set out in the cookie information
Consent Management Providers (CMP)
Software to manage consent and give information about cookies and choices is available from CMP.
Cannot have re-ticked boxes for consent
Must provide information on how to withdraw consent
Ability to prompt to give consent 6 months after obtaining consent
If banner has link it must be to readable text undisrupted by chatbots or other features
Needs to have “accept” and “reject” options or a “further information” information link to options to open links to indicate reject or manage cookies by type and purpose.
Disclaimer
The material in this article is for general information purposes only and does not constitute legal or taxation advice. Specific legal and taxation advice should be sought before acting. All information and taxation rules are subject to change without notice.
No liability whatsoever is accepted by M. McLoughlin & Co. for any action taken in reliance on the information in this article