What you need to do to get compliant

In April this year, the Irish Data Protection Commissioner (DPC) released a report and updated guidance on the use of Cookies and other tracking technologies. This report outlined that all companies are required to comply to the DPC’s guidance on website Cookies and other tracking technologies by 5th October 2020.

This deadline has passed but several companies are still unsure about how to get compliant. What exactly does your business need to do to avoid being called out as “non-compliant”?

Key Requirements

The key requirements are described in the Article 5(3) ePrivacy Directive and state as follows:

Organisation's should provide such individuals with comprehensive information (in accordance with Directive 95/46/EC) including but not limited to:

• Identity of the organisation and its representative, if any;
• Purpose of processing for which the data is intended;
• Additional details such as the recipients or categories of recipients of the data, whether provision of requested data is obligatory or voluntary, and the consequences of failure to respond to the request, existence of the individual's rights to access, correction, amendment, and/or deletion etc.

Companies should provide individuals with a means to consent to and/or object to such processing.

Translating the requirements into practice

Now, let’s take the guidelines one step further and understand what measures you must put in place to become compliant. We have outlined the main 8:

1. Consent must be acquired for all non-essential Cookies (anything not strictly necessary). Websites must not be designed to favour acceptance over non-acceptance.
2. Cookie information must be user-friendly and easy to understand. Legal jargon and redirecting to general terms and conditions should be avoided.
3. User interfaces should be developed so that users can change their preferences at any time easily.
4. Retention periods appropriate to the purpose for which the Cookie is used should be set and enforced (not 100 years!).
5. These rules apply to all data, not just personal data. However, where the data is personal, the GDPR applies.
6. Cookie walls are noncompliant and banned i.e., preventing a user from accessing a website if they do not accept cookies.
7. Cookie and privacy policies should be accessible and updated regularly. The ability to read these policies must not be obscured by Cookie banners and must be possible to always click into.
8. Joint-controller arrangement should be considered where data is shared with third parties using these technologies.

We are currently working with our partner OneTrust – number 1 most widely used platform to operationalize privacy, security and governance and have an upcoming webinar. Our webinar is about getting compliant, staying compliant and the future of digital marketing. Register Now.

If you would like our help or advice getting ready – contact us today.