What are cookies and tracking technologies?
Cookies are small text files stored on devices, such as mobile phones, that can store information. They serve important functions such as remembering a user and their previous interactions with a website as well as keeping track of items in an online shopping cart. Other types of cookies and tracking technologies include local storage objects (LSOs) or ‘flash’ cookies, software development kits (SDKs), pixel trackers (or pixel gifs), ‘like’ buttons and social sharing tools, and device fingerprinting technologies.
Key points from the DPC
- Consent is required for the setting of cookies (whether or not the cookies collect personal data) and under the GDPR, the level of consent means a clear affirmative action by the data subject. However, consent is not required where (i) the sole purpose of the cookie is to carry out the transmission of a communication over a network; or (ii) the cookie is strictly necessary to provide an information society service that is explicitly requested by the user.
- It should be possible to withdraw consent as easily as it was given.
- Consent for cookies must not be bundled with consent for other purposes. Consent must be obtained for each purpose that cookies are set (eg analytics, targeting and marketing) although consent does not need to be obtained for every cookie (eg it is not necessary for cookies that are "necessary" to deliver a service such as to remember preferences).
- Pre-checked boxes or sliders or other tools set to 'ON' by default should not be used to signal a user's consent to the setting of cookies.
- Consent should be time limited. While the law does not prescribe specific lifespans for cookies, the DPC recommends that companies ask users to reaffirm their consent no longer than six months after it has been provided.
- The use of a cookie banner or pop-up must not 'nudge' a user into accepting cookies. An option to reject must have equal prominence in a banner. Furthermore, a cookie banner that merely gives the user the option to click “accept” to say yes to cookies and which provides no other option is not compliant. This means banners with buttons that read “ok, got it!” or “I understand“ and which do not provide any option to reject cookies or to click for further, more detailed, information do not meet the standard of consent required.
- Links to privacy and cookie policies should be visible and accessible to users without any cookies being set
- The lifespan of a cookie must be proportionate to its function – for example, it would not be considered proportionate to have a session cookies with a lifespan of "forever".
- Cookies or other technologies to track the location of a user or device should not be used without consent.
The DPC has given companies 6 months to bring their websites and apps into compliance, following which enforcement action will follow for those that are not compliant. Interestingly, the DPC has said that first-party analytics cookies (ie cookies set by the host website as opposed to a third party cookie set by a domain other than the one the user is visiting) are likely low risk and therefore are unlikely to be a priority for enforcement. However, as it is clear that the DPC does intend to exercise its enforcement powers later this year, there is no time to lose – businesses should, without delay, review their cookie policies.