In April 2020, the Irish Data Protection Commission (DPC) published updated guidance on cookies and other tracking technologies. The “Guidance” was issued with a report based on a cookie audit of 38 companies, and the results were not good.
The survey found that 35 of these 38 companies were not in compliance on the transparency and consent front. The Commissioner concluded that such low levels of compliance meant that ordinary individuals were unaware of the extent to which their activities are tracked online.
The Guidance reminds us that consent to cookies under Article 5(3) of the ePrivacy Directive must meet the standard of consent under the GDPR. Many of the requirements of the Guidelines stem from this change in the consent standard, which is largely in line with the guidelines of other Data Protection Authorities (DPAs) in Europe.
So what are the DPC recommendations about cookie consent guidance in Ireland, and how to make sure you are compliant? Let's take a closer look.
What are cookies, and when is user consent needed?
Cookies are files stored in the browser when users visit a website, in order to save info such as IDs and passwords, navigation history, or card numbers for payments. There are different types of cookies, including first-party cookies that are set by the host domain, and third-party cookies set by other domains and partners.
The Irish DPC stresses that consent must be collected before any information is collected – cookies or other tracking technologies such as pixel trackers, fingerprints, SDKs, Local Storage Objects, “Like” buttons, and other social sharing tools. In fact, consent must be collected for any storage of information on a user’s device or equipment. The only exceptions are communication cookies and strictly necessary cookies.
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. In addition, “it shall be as easy to withdraw as to give consent”
- General Data Protection Regulation (GDPR), Art.7.3
In light of these recommendations, browsers are becoming increasingly restrictive. Between July 2019 and January 2020, Firefox announced the “Enhanced Tracking Protection” by default, Apple announced the ITP2.2 Safari version, and Chrome announced cookie and tracking technologies restrictions, promisingno more third-party cookies in Chrome in a near future.
In this context, it is imperative for all advertisers to update and comply.
The Irish DPC’s main guidelines for cookie compliance
- Explicit consent is required: it is no longer possible to rely on implied consent (which is what two-thirds of the audited companies did).
- No nudging: the ‘Accept Cookies’ button in the cookie banner should not be emphasized over the option to ‘Manage Cookies’ or ‘Reject All’ buttons.
- Clear choice of settings: banners must allow users to reject non-necessary cookies and similar technologies, to change their cookie preferences at any time, and to withdraw consent as easily as they gave it.
- Retention: consent cookies should have a lifespan of 6 months maximum, with an expiry date of a cookie that should be proportionate to its purpose.
- Third-party cookies examination: it is the responsibility of each organization to monitor third parties using cookies on their website or application.
- Transparency obligations: users must be provided with clear and comprehensive information about the use of cookies (readable banners, listing all third parties, granularity in the explanation of the purposes).
How can Didomi help Irish brands and publishers?
Publishers may worry that compliance will lead to a loss of revenue, and both publishers and brands will be fearful of a drastic drop in consent. Indeed, there will probably be repercussions on consent rates (small or considerable, depending on your partners and the measures you put in place). All parties will be impacted, and everyone must prepare for a certain amount of change.
Didomi is here to help. With features like A/B testing and our bespoke Consent Management Platform, Didomi ensures you know exactly what’s happening on your website, allowing you to optimize consent collection and build trust with your users.
The best way to be compliant with consumer privacy laws such as the GDPR, PECR, and the Irish DPC regulation is to implement a CMP that provides you with the right legal and technological tools and becomes the first touchpoint with your customers.
At Didomi, we begin by performing a compliance audit of your website, including vendor detection, identification of the cookies they drop, and their lifespan. The goal is to give you an accurate picture of what is happening on your website or application, and our customers are often surprised at what they discover (especially because of all the activity around third-party cookies).
The next step is to customize your CMP by choosing the right message and consent notice format to ensure that the UI/UX is aligned with your brand image (colors, font, language, etc.).
The CMP is then deployed and integrated with existing solutions within your tech stack (integration of the SDK into mobile web & apps; integration with your Tag management solutions; blocking of ad hoc cookies and specific tags, except for TMS and TCF). Finally, we follow up and optimize by performing regular audits to monitor cookie lifetime and new partners, closely following consent rates, and performing A/B tests to improve opt-in rates.
Cookie consent is now a key indicator for companies. With a CMP, consent becomes an indication of user confidence in your business, which in turn leads to revenue. Learn more about our solutions:
{{discover-our-cmp}}
Frequently Asked Questions (FAQ)
What sparked the updated guidance on cookies and tracking technologies by the Irish Data Protection Commission (DPC)?
The Irish DPC published updated guidance in April 2020, following a cookie audit of 38 companies, which revealed that 35 were not compliant with transparency and consent requirements.
What are the main guidelines for cookie compliance as per the Irish DPC?
The Irish DPC emphasizes the following requirements:
- Obtaining explicit consent before any information collection;
- Offering clear choices to users for managing cookie preferences;
- Ensuring a maximum lifespan of 6 months for consent cookies;
- Monitoring third parties using cookies on one's website;
- Fulfilling transparency obligations by providing comprehensive information about the use of cookies.
How do the recommendations of the Irish DPC align with the General Data Protection Regulation (GDPR)?
The DPC's guidance mandates that cookie consent must meet the GDPR's standards, characterized as freely given, specific, informed, and unambiguous.
Both regulations ensure that individuals have the ability to manage their consent easily and be well-informed on data collection practices.