Cookie sweep report highlights failing cookie banners

Traditional approach to cookie banners swept aside by DPC report

Last month, the Data Protection Commissioner (DPC) released a report showing its findings following a cookie “sweep” of a select number of websites across a range of sectors in the economy.

The report may have fallen through the cracks for many due to all the attention around the Covid-19 response.

Key findings of the cookie sweep report

Following the “sweep” conducted by the DPC it found that 26% of data controllers were found to have used pre-checked boxes to acquire consent for cookies, including marketing, advertising and analytics cookies. It highlighted that "these controllers will need to act expeditiously to amend their interfaces, which it is clear do not comply with EU law".

One of the other key findings from the sweep shows that on almost all the websites examined, cookies were set immediately on the landing page including non-necessary cookies.

In many cases organisations misclassified cookies as “necessary” or “strictly necessary” and relied on implied consent.

Cookie banners offering no choice other than an “accept” button and no link to a cookie policy were a feature on many websites. In many cases there were no visible cookie preference settings for users to change or withdraw cookie choices even in instances where the organisation had already deployed a consent management platform. Another issue the DPC found was the “bundling” of consent for all purposes.

Scale of the report

From August to December 2019 the DPC carried out the sweep sending a questionnaire to 40 organisations and examining the use of cookies and similar technologies on a selection of popular websites in Ireland.

As part of the sweep the DPC received 38 controllers responses and graded each of the responses according to a red, amber, green system. Only 2 controllers received a green grading, 20 were graded amber and 12 had a red rating which is substantial compliance issues, particularly the use of implied consent for cookies.

As many organisations may be aware the ePrivacy Regulations require that you obtain consent in order to gain any access to information stored on the device of a user, or to store any information on the person’s device.

The Irish ePrivacy Regulations, implemented by Statutory Instrument (S.I.) No. 336 of 2011 transposes into law the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC).

The DPC’s aim was to examine how cookies are deployed, and to establish how and whether organisations are complying with the current Irish cookie law rules, and in particular, whether users’ consent for non-necessary cookies or tracking technologies is being obtained in line with the requirements of the EU General Data Protection Regulation (GDPR).

For most organisations it means they will need to implement a mechanism to get consent to setting the cookies to be compliant. Traditionally this has been a simple pop-up banner that includes a link to the cookies policy and states that continuing to use the website will constitute consent to setting cookies (often with a button that lets a user dismiss the banner).

Function of cookies

Cookies are usually small text files stored on a device, such as a PC, a mobile device or any other device that can store information. The regulations make use of the word terminal equipment which can include the use of a mobile device, a computer or any device connected to the internet (so-called ‘Internet of Things’).

Cookies serve several important functions, including to remember a user, to keep track of items in an online shopping cart or to keep track of information when you input details into an online application form. Authentication cookies are also important to identify users when they log in to many essential online services.

Certain cookies can also be used to help web pages to load faster and to route information over a network. The information stored in cookies can include personal data, such as an IP address, username, a unique identifier, or an email address. But it may also contain nonpersonal data such as language settings or information about the type of device a person is using to browse the site.

New approach required

Recent case law of the European Court of Justice has indicated that this is not sufficient to comply with the requirements post GDPR, and that the following rules apply:

• Other than strictly necessary cookies (i.e. cookies without which the website will not function), no cookies should be set until the user has taken a positive action to indicate consent to the cookies
• Pre-ticked boxes are not acceptable, by default the cookies should not be set
• Consent should be provided for different categories of cookie separately 
• Banners must give equal prominence to “accept” and “reject” buttons and a link to information that allows users to manage their cookie settings

Considering the above, organisations need a fully compliant cookie policy and will need to implement a pop-up or banner to gain consent for different cookie categories.

If your organisation’s website uses cookies and wants to comply with the EU law standard on cookies, it will need to implement a cookie consent tool.

In its guidance notes the DPC says cookies should only be set a lifespan that is proportionate to the function of the cookie. For example, a session cookie used for when you add an item to your shopping cart on an online shopping website, but it also generally disappears when a user closes their browser. There are other cookies that are persistent and are used to track a user over time and these cookies can have exceptionally long lifespans. If a cookie is used to store a record that a user has given consent to the use of a cookie, this cookie should have a lifespan of 6 months.

For more information on Irish ePrivacy regulations, the cookies sweep, and guidance notes made available by the DPC check out the information below.

Report by the DPC

Guidance notes made available following the sweep

Irish ePrivacy Regulations

The Irish ePrivacy Regulations, implemented by Statutory Instrument (S.I.) No. 336 of 2011 transposes into law the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC).

Regulation 5(3), 5(4) and 5(5) from in the Irish ePrivacy regulations states:

• 5(3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless 
  • (a) the subscriber or user has given his or her consent to that use, and 
  • (b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which - 
  • (i) is both prominently displayed and easily accessible, and 
  • (ii) includes, without limitation, the purposes of the processing of the information. ​
• 5(4) For the purpose of paragraph (3), the methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent. 
• 5(5) Paragraph (3) does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

The Guidance from the DPC will afford website operators a six month grace period from date of publication, 6 April 2020, to bring their cookies practices into compliance, with a deadline in October 2020.

If you are looking to implement a cookie consent tool or banner to your website contact us today.

Register now for our joint webinar with our partner OneTrust on the 10th of September.