Background
Cookies are small text files which are an important instrument that can give businesses insight into users' online activity. Depending on their type cookies may be entirely harmless but they may also be storing a wealth of data that can be used to potentially identify individuals without their consent.
First-party cookies (placed by the website being visited) and third-party cookies (placed by a domain other than the one being visited) serve important functions for e-commerce but can also track users' online activity to create targeted ads.
Despite their importance but arguably due to the complexity of their technical and legal characteristics, the regulations governing cookies are split between the General Data Protection Regulation (GDPR) and the ePrivacy Directive which was transposed into Irish law through the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011) ('the e-Privacy Regulations').
The GDPR applies to cookies only insofar as they can be used to create profiles of natural persons and identify them. Regulation 5 of the e-Privacy Regulations is the relevant Irish legislation specifically targeting the use of cookies. The e-Privacy Regulations supplement the GDPR, addressing the confidentiality of electronic communications and the tracking of internet users, while the GDPR regulates the nature of the consent required to place cookies on various devices.
Consent Requirement
- Informed Consent: Businesses must obtain "freely given, specific, informed and unambiguous" consent of users before placing cookies or similar technologies on their devices. Users must clearly understand what data is being collected, the purposes for its collection, how it will be used, and who will have access to it. This information is typically provided in a cookie notice or 'banner'.
- Ongoing Consent: Businesses are required to allow users to manage their cookie preferences at any time. This means users should be able to withdraw their consent, modify their cookie preferences, or opt-out of non-essential cookies. The Data Protection Commission (DPC) recommends that consent should be reaffirmed every six months.
Exceptions to the Consent Requirement
There are limited exceptions where cookies may be placed without consent, such as cookies that are used for the transmission of a communication or are strictly necessary for the provision of a service requested by the user (e.g., session cookies used for login purposes).
Compliance Best Practices
To ensure compliance with the e-Privacy Regulations, businesses should consider the following best practices:
- Implement Cookie Management Platform: Automate the process of obtaining, tracking, and managing user consent to improve efficiency and accuracy.
- Provide Layered Information: Through the cookie banner, inform users about the use of cookies and provide a link to more detailed information about their use and the third parties to whom data will be transferred.
- Monitor Consent Status: Regularly review and audit your cookies and tracking technologies to ensure compliance, particularly when launching new marketing campaigns or technologies.
- Data Protection Impact Assessment: Cookies may, depending on the information stored, involve the processing of personal data. The DPC has published a list of processing operations for which a data protection impact assessment is mandatory. This includes processing operations involving the systematic monitoring, tracking or observing of individuals’ location or behaviour, and the profiling of individuals on a large scale.
Enforcement
The DPC is the national authority responsible for the enforcement of the privacy legislation. The DPC has the authority to investigate and issue fines of up to €250,000 on conviction on indictment. Non-compliance can also harm a company’s reputation, eroding customers trust and damaging relationships with regulators.
In an expanding digital world, compliance with privacy laws has become an undisputed necessity for businesses. This is particularly pertinent in the context of M&A where it is becoming increasingly important to investigate, as part of a due diligence exercise, compliance with privacy regulations.
By obtaining informed consent, being transparent about data practices, and providing users with control over their privacy preferences, businesses can build trust and reputation and avoid hefty penalties.
For further information or advise please contact Gergana Moran or your usual Beauchamps contact.
