The Return of the Cookie Monster?
In 2019, the Data Protection Commission (DPC) conducted a “cookie sweep” of a wide array of websites operating in Ireland.
Latest tips for cookie compliance
- Do not use pre-ticked boxes where consent to cookies is required – Pre-ticked boxes will not constitute valid consent under the GDPR or the ePrivacy Directive.
- Inferred consent is not sufficient – It is generally not permissible to rely on a user’s browser settings for “deemed consent”.
- Users must be able to withdraw their consent to cookies – Controllers are reminded that accessible methods must be provided which allow users to withdraw their consent at any time and in a manner as easy as it was to give the consent. The Cookie Banner Task Force suggest that “a small hovering and permanently visible icon be used” or a “link be placed on a visible and standardized place”.
- Consider the appropriate lifespan of each cookie – Controllers should assess what the proportionate lifespan of each cookie is.
- Analytics cookies and consent – Consent is required for the use of analytics cookies, whether they are first party or third party cookies. However the DPC stated in its 2020 guidance note that “[i]t is unlikely that first-party analytics cookies would be considered a priority for enforcement action by the DPC.”