Cookie & Tracking Technology Compliance | |
---|---|
1. General rule: Consent is needed | User consent is required before a cookie is set unless it is a strictly necessary/ communications cookie. Consent is required even if personal data is not accessed. |
2. Exemptions | The exemptions are strictly applied. The information society service must be explicitly requested by the user and strictly necessary for that service. This would, for example, include a cookie that is required for the user to access parts of the website but not customer service chat bot cookies. Communications cookies sole purpose must be carrying out a communications transmission. |
3. What type of consent is needed? | Consent must be freely given, specific, informed, and an unambiguous indication of the user’s wishes. Silence, inaction or implied consent will not be sufficient. Consent cannot be ‘bundled’ i.e. a user cannot be asked to consent to all categories of cookies at once. Users must be able to withdraw their consent as easily as they gave it. |
4. Obtaining Consent via Cookie Banners | Cookie banners typically adopt a layered approach to providing information and seeking consent.
It must be clear that the user has engaged with the banner. It should not contain any pre-ticked boxes (save for strictly necessary cookies). There should be no mechanic which indicates default acceptance by the user. For example, the banner should not state that continued use of the website constitutes implied consent to set cookies. It is advisable to create an option to reject or refuse consent to cookies, which has equal prominence to the ‘accept’ option. At the very least, information on how to revoke consent should be provided. |
5. Cookie Categories | Cookies must be clearly categorised and set apart according to their purpose (e.g. functional, performance, marketing, targeting, profiling, social media, analytics). Users must be able to consent (or refuse consent) for each specific cookie category. |
6. Cookie Lifespan | Cookie lifespans should be proportionate to their function. For example, a session cookie must not last forever. |
7. Renew Consent | The Data Protection Commission recommends that users are asked to reaffirm consent at least every 6 months. |
8. Cookie Policy | Users must also be provided with user-friendly, easily accessible, comprehensive cookies information. Your Cookie Policy can be used to meet this requirement. The information should include information on the types of cookie being set; the cookies’ purpose(s); the third parties who have access to the data; the cookies’ lifespan; and information on how the user may withdraw their consent. If you are processing personal data, the GDPR’s Article 12-13 transparency requirements must be satisfied. This will include providing information on legal bases and individuals rights. |
9. Personal Data | If as a result of using cookies personal data is processed, the GDPR will also apply. Personal data includes online identifiers that relate to an identified or identifiable person. A person may be identifiable as a named individual or simply as a unique user of electronic communications and other internet services who may be distinguished from other users. |
10. Third Parties | If you deploy third parties tracking technologies on your website, you may be a joint controller with the third party. Third party tracking technologies include “like” buttons, plugins or widgets, pixel trackers of social media-sharing tools. If you are a joint controller you will need to put place an arrangement for compliance with your GDPR obligations and make the essence of that arrangement known to users. |