Frequently asked questions about cookies

Global privacy regulations such as the GDPR, CCPA and ePrivacy, as well as updated guidelines from the DPC, ICO and CNIL will have a profound effect on marketing activities. Faced with the legal and financial ramifications of ignoring a consumer’s right to privacy, marketers must rethink their data collection, use, and retention methods.

On the 10th of September we partnered with OneTrust in a joint webinar to discuss the latest updates and guidelines from the Irish DPC’s latest cookie guidelines. During this session we received a lot of questions from the audience, which included questions we’ve previously been asked. We have decided to compile the most frequently asked questions about cookies, hoping that it would add some clarity in understanding compliance.

Please note: the answers below are provided for information purposes only, and do not constitute legal advice. Arekibo cannot be held responsible for how this information is used. The responsibility for compliance lies with the individual data controller and each controller must decide their approach. Our advice to digital professionals is to confirm their approach with their Data Protection Officer (all organisations are required by law to appoint a DPO) and to seek legal advice where appropriate.

Most frequently asked questions about cookie compliance:

1. Can businesses have two cookie classification categories only, set up as 'Essential cookies' and 'Non-essential'?

There is nothing in the DPC guidance that mandates having distinct set of non-essential categories such as analytics, marketing etc. Nevertheless, anything you can do to bring clarity to how you communicate with end-users is a good thing. Most data controllers find it useful to use these categories to fulfill the requirement for transparency and to make it easier for users to manage their tracking preferences.

2. Can colour coding buttons (for example giving an “accept button” a different color than a customise or reject button) be deemed a nudge?

This is a complex and ambiguous area. Our view is that the DPC’s concern with “nudging” users into accepting cookies is driven by a concern with approaches that make it difficult for users to control their preferences. So, for example, making it very easy to see some buttons and difficult to see other buttons is an approach that places obstacles in the user’s way as they attempt to exercise that control. If your banner design incorporates button styles that don’t present those obstacles you will probably be ok. Ask yourself is what I am doing making it more difficult for users to give their free, unambiguous consent? If so then you probably shouldn’t be doing it!

3. The legislation on expiry dates for cookie consent is set by DPC as 6 months (excluding the exceptions). What circumstances would require a longer timeframe?

The advice here is put yourself in the end-user's shoes and ask what they would reasonably expect. The guidance is vague on this mainly because it depends on the purpose of a cookie. If I am using a cookie to hold information for a shopping cart then users particularly expect that to expire at the end of a session, or perhaps a week later (if the site doesn’t provide a save for later function). But six months later, a year later? Probably not. We don’t want to be haunted by a trail of unpurchased products. Similarly, if I visit your website daily and I don’t want to be prompted each day to consent to your use of Google Analytics. In this case, check in with me again in six months. Again, the guide here is to focus on giving the best possible user experience to the user without stretching their goodwill.

4. There are a few companies who are choosing to go on a “Zero tracking” path. It seems to solve lots of problems and be user-friendly. Is zero tracking path the way to go?

Clearly this is one way of handling compliance. If you don’t use cookies at all much of the relevant legislation is not going to apply to you. Our view is that this is rather extreme position, especially when it comes to first-party cookies. Tracking isn’t bad per se, it is how you use it and how you communicate with users on your tracking approach. And cookies can offer benefits to both you and your customers. Present the choice clearly to your users and let them make up their minds.

5. Can OneTrust banner be matched to company’s own branding?

Yes, you can include your logo and customise color, font etc. OneTrust offers a significant degree of flexibility concerning how the banners are presented.

6. There are two types of cookies which are exempt from requiring user consent. What are they and what does this mean in practice?

Roughly the exempt cookies are those which are 1) “strictly necessary” cookies which are required to enable your website to work in the first place an 2) the “communications exemption” which are cookies which support the maintenance of stable communications between the user and a website. In relation (1) the paradigm case are session cookies, set by websites in order to do things like allow manage state on online forms or allow them to add things to a shopping cart etc. These cookies typically expire as soon as the user closes their browser window and that is a very good indication that you are dealing with a strictly necessary cookie. Please note bad website design or interest that go beyond merely supplying functionality should not be considered excuses for categorizing cookies as strictly necessary. That analytics cookie may be necessary to your decision process concerning what products to place on your website for sale, but it is not necessary to display any particular product on your site. With respect to (2) the “communications exemption”, these cookies really operate on behalf of the network layer, they are used for things like load-balancing and traffic routing. They are cookies that keep a connection to your website open and stable, but the exemption doesn’t apply to anything you do with that connection. These types of cookies offer no benefits other than keeping your site up and running and ensuring it is quick to use. If a cookie is offering other benefits it is probably not a candidate for this exemption.

7. My site uses both a domain and subdomains. Do I need to re-acquire consent if one my users clicks through to the subdomain?

What this comes down to more than anything else is purpose. If my use of a cookie on a subdomain involves both the same controller (i.e. I am the controller for both the domain and the subdomain) and the same purposes — remember what you use cookies and any information a cookie facilitates the collection of for is crucial — then you don’t need to acquire additional consent. But if the purpose varies then you need to go back to the user an acquire consent for that new purpose. Ask yourself are there any differences in the cookies I am using, the uses I am making of that information and the people who will get access to that information. If any of these varies make all of this clear to the user and re-acquire consent.

The session was recorded. View the recording here and download the deck here.

If you have more questions on your mind, and need professional advice on cookie compliance, contact us today.

Register for our upcoming webinar on the 18th of November with OneTrust about getting compliant, staying compliant and the future of digital marketing.