SIX MONTHS AGO, the Data Protection Commission (DPC) gave websites a deadline of 5 October to get their cookies policy up to scratch with the relevant laws and regulations in Ireland.
You may have noticed more notifications about selecting cookie options on websites recently as sites prepared for possible enforcement after this date.
This followed on from a DPC review of compliance among several websites published in April this year.
With more guidance issued to sites, and threats of enforcement, people should have a lot more privacy options to choose from when browsing online.
First of all, what are cookies?
A cookie is a small piece of code that is downloaded to a device by a browser such as Google when someone visits a website.
There are different types of cookies. Analytics cookies are used to measure how people use a website, tracking things like how long a person spends on each site page.
Another type of cookie is a pixel. These are often embedded in sites or emails and used to monitor or track a user’s action.
They can be used to tell when someone opens an email or clicks on something within an email.
If a user of a social network such as Facebook is logged into their account when they visit a site which contains a Facebook pixel, the social network can then connect this behaviour to create more targeted ads on the Facebook site.
Data protection consultant at Ambit Compliance, Gillian Traynor, said cookies are generally used “to track user behaviour in some manner or means”.
She said some cookies can be useful for websites.
“Cookies have a good purpose as well because if you’re on a shopping site like Tesco, and you get interrupted by a phone call and have to switch over, you want to be able to remember what you just put in the basket,” she said.
“So there are certain benefits to having cookies on the website. It improves the user experience to a certain degree, but some of them are superfluous.”
So although some cookies help sites work better, they can be intrusive to privacy and track people’s behaviour across the internet and across different devices.
What does the law say?
There have been laws relating to cookies and online tracking for several years in Ireland.
The issue of consent when it comes to being tracked online was defined in the General Data Protection Regulation (GDPR) which took effect in the EU in 2018.
Traynor said the GDPR was “unambiguous” when it comes to consent.
“For ‘freely given’, it means that somebody must actively be giving their consent,” she said.
This usually consists of ticking a box, as opposed to clicking ‘select all’ for cookie options that have been pre-ticked on the website.
Prior to the GDPR, Ireland had privacy legislation in place through the 2011 European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations.
Traynor said this was known at the time as the “cookie law”. It was an EU directive adopted by all EU countries almost a decade ago.
“Then when GDPR came out and re-defined what consent was… if you were to interpret the cookies law now under the guise of GDPR with the definition of consent, it was clear that people weren’t actually giving their consent, they weren’t even being given a choice,” Traynor said.
What changed from this week?
From 5 October, websites operating in Ireland must abide by cookie laws or face threat of enforcement from the DPC.
In August last year, the DPC examined the use of cookies on several popular websites across different sectors like media, restaurants and insurance.
A report on this examination was published with further guidance issued to website controllers. A deadline of six months was given for compliance as a result of issues identified among the sites.
“It was evident from the examination of the types of tracking technologies and cookies in use that advertising technology and tracking are core to the business models of many of the websites examined,” the report said.
Gillian Traynor explained: “Now, websites either should have no cookies installed, or if they have cookies installed, they need to have a thing called a cookie consent management tool.”
This tool turns off all non-vital cookies as a default.
Did the DPC find most websites to be compliant with the law?
Essentially, no.
A total of 26% of the controllers who responded to the sweep were found to have pre-checked boxes for the cookies policy. This does not comply with the laws in place.
About two-thirds of controllers were relying on a model of implied consent to set cookies.
These include statements such as “by continuing to browse this site you consent to the use of cookies”.
The report said the DPC is concerned that certain data, such as details of illnesses or conditions a person searches for on a website, is being shared with companies like Google or Facebook through the use of either explicit profiles of customers or through predictive profiles based on unique identifiers.
What should cookie options look like now?
Ideally, people should be given three options for their cookies on any site:
Traynor said: “It’s everybody’s personal decision in terms of whether they want to be tracked or whether they want to be marketed to. And some people don’t mind those ads following them, other people do, so it’s very much a personal decision.”
“From a technical perspective, it’s a pretty simple thing to do,” she said in terms of the change for website controllers.
Do people have more privacy online now?
Traynor believes this enforcement of the rules will help people regain some privacy when browsing online.
“If all websites were compliant, then definitely,” she said about privacy.
She added that she doesn’t think the average person knows the impact of having tracking cookies in place.
“I don’t think people understand that they’re being followed, but maybe some people have really no problem with that either,” she said.
She clarified that choosing the ‘reject all’ option for cookies is much the same as using incognito mode on a browser.
How will the DPC enforce this?
Elaine Edwards from the DPC’s Special Investigations Units, speaking on a DPC podcast about cookies, said that there could “certainly” be enforcement through the eprivacy regulations from 2011 from this week onwards.
“Consent is required for cookies,” Edwards emphasised.
She said the DPC could also carry out audits and examinations of sites under the GDPR.
She said the DPC already enforces “quite regularly” the eprivacy regulations and takes controllers to court on a “fairly regular basis” due to non-compliance.
Any website which offers services in Ireland or which has a market in Ireland should be compliant with the policy.
Don’t I have to accept cookies to use a website?
No. Traynor was clear that users do not have to accept cookies in order to access a site under these rules.
“If you see a ‘reject all’ and you’re not happy with it, you can reject,” she said.
This is due to the GDPR definition of consent put through the 2011 eprivacy legislation.
To embed this post, copy the code below on your site
have your say