In April 2020, the Irish Data Protection Commission released updated guidance on cookie compliance. Largely the release clarified the relationship between the General Data Protection Regulation (GDPR), the Electronic Privacy Directive (EPD) and Cookies. The most notable part of the IDPC statement was that Irish Business had 6 months to bring their sites into compliance with this newly clarified advice. In short from October 6th, 2020 penalties outlined under the GDPR will be apply. You can read the full April release here:
In practical terms what does this mean for you and your
business website? Let us start with the
What the hell is a cookie?
Do not be fooled by the delicious name you are about to read
a dreadfully dull paragraph (Sorry…)
Websites now do a lot more than deliver reams of text about your favourite
topics. They play video, they let you
buy online, they let you log in and save favourites. These interactive features require
collaboration between the device you use and the website you browse. This is achieved (in simple terms) by placing
a small text file on your device (referred to as a cookie) the text file is
used to store information. This allows
the website to have a memory of sorts.
It remembers you and the things you do on the website.
What has this got to do with data protection?
Well if the websites you visited only used these cookies to
make their websites work then we really would not be having this conversation. However,
that is not the whole story. They do use
cookies (your information) for that primary purpose but they also use it for
other things. Things like tracking and
tracing your behaviour to help them improve their website or letting Google and
Facebook and a plethora of other platforms track your behaviour to better
tailor their advertising campaigns.
You never agreed to your information being used by
advertising platforms. You never agreed to allow adverts to follow you around
the internet and under GDPR, if you did not give specific consent, then they
are not allowed to use your information.
In short Cookies used for
anything other than primary functionality have to have your permission to be
placed on your device.
This has been the case since 2018 and most website owners
are ware that their website needed a “Cookie Message” but the vast majority of
these messages are not compliant with the law.
Yes, we tell our customers about cookies, but we carried right on using
them regardless. This goes against both
the spirit and the letter of the regulations.
This disregard or “lip service” approach to cookie
management is what has led us to the much more detailed advice, coupled with a
time limit for us all to get our act together.
How do I become compliant?
The first step is to understand what cookies you are using
and why. You can ask your web provider
to assist with this. Once you know what
cookies you use and why you can split them into two groups:
cookies (not requiring consent)
other cookies (requiring consent)
You can then engage a web
development company or a Consent Management Platform (CMP). They can then update your website to ask
permission from your visitors (via a pop up) to use the cookies requiring
consent and only set those that have that consent.
The important thing to note is
that you are not allowed to assume consent nor are you allowed to sway your
visitor to a yes rather than a no.
For example, this is not
This is compliant:
this one does not set any cookies (that requre consent) until after the user
has interacted with the message.
Secondly it allows the user the ability to reject or accept without
promoting one option over the other. Lastly it give the user the abiltiy to
manage their consent options.
themselves are far more complex than this blog might imply but the rules
surrounding data pricacy still remain simple.
If you are making a genuine effort to comply and give your users the
control they are entitled to you have nothing to worry about.