Irish Data Protection Commission is finally getting serious about cookie management.
In April 2020, the Irish Data Protection Commission released updated guidance on cookie compliance. Largely the release clarified the relationship between the General Data Protection Regulation (GDPR), the Electronic Privacy Directive (EPD) and Cookies. The most notable part of the IDPC statement was that Irish Business had 6 months to bring their sites into compliance with this newly clarified advice. In short from October 6th, 2020 penalties outlined under the GDPR will be apply. You can read the full April release here:
In practical terms what does this mean for you and your business website? Let us start with the basics.
What the hell is a cookie?
Do not be fooled by the delicious name you are about to read
a dreadfully dull paragraph (Sorry…)
Websites now do a lot more than deliver reams of text about your favourite topics. They play video, they let you buy online, they let you log in and save favourites. These interactive features require collaboration between the device you use and the website you browse. This is achieved (in simple terms) by placing a small text file on your device (referred to as a cookie) the text file is used to store information. This allows the website to have a memory of sorts. It remembers you and the things you do on the website.
What has this got to do with data protection?
You never agreed to your information being used by advertising platforms. You never agreed to allow adverts to follow you around the internet and under GDPR, if you did not give specific consent, then they are not allowed to use your information. In short Cookies used for anything other than primary functionality have to have your permission to be placed on your device.
This has been the case since 2018 and most website owners are ware that their website needed a “Cookie Message” but the vast majority of these messages are not compliant with the law. Yes, we tell our customers about cookies, but we carried right on using them regardless. This goes against both the spirit and the letter of the regulations.
This disregard or “lip service” approach to cookie management is what has led us to the much more detailed advice, coupled with a time limit for us all to get our act together.
How do I become compliant?
The first step is to understand what cookies you are using and why. You can ask your web provider to assist with this. Once you know what cookies you use and why you can split them into two groups:
- Essential cookies (not requiring consent)
other cookies (requiring consent)
You can then engage a web development company or a Consent Management Platform (CMP). They can then update your website to ask permission from your visitors (via a pop up) to use the cookies requiring consent and only set those that have that consent.
The important thing to note is that you are not allowed to assume consent nor are you allowed to sway your visitor to a yes rather than a no.
For example, this is not compliant:
This is compliant:
Firstly, this one does not set any cookies (that requre consent) until after the user has interacted with the message. Secondly it allows the user the ability to reject or accept without promoting one option over the other. Lastly it give the user the abiltiy to manage their consent options.
Cookies themselves are far more complex than this blog might imply but the rules surrounding data pricacy still remain simple. If you are making a genuine effort to comply and give your users the control they are entitled to you have nothing to worry about.
If you are concerned about Cookie management, then get in touch with us here at Dmac Media Ltd and we are happy to give your site a quick audit.