GDPR and websites – are your cookies stale?

Data Protection Commissioner to enforce GDPR compliance for cookies after 6th October 2020

Our Business Solicitors Dublin MP Moloney write to remind us of the upcoming deadline of the 6th October set by the Data Protection Commission of Ireland by which businesses operating websites and collecting user behaviour data must have the cookie notice compliant with the EU General Data Protection Regulation, Regulation (EU) 2016/679, known commonly as the GDPR.

So what are Cookies?

Cookies are pieces of software added to websites to allow their owners track the behaviour of users on their site. A very common example of a widely used cookie is Google Analytics. This program places a code on your website which enables the recording of the personal data of the visitors to a site. It can then deliver this valuable information in report form to the website owner. Other cookies remain on the user computer and track their behaviour after they have left the site and go to other sites. Cookies are an important part of creating an accurate target market for any business. They collect invaluable information for marketing purposes.

And what is a Cookie Notice?

Since in enactment of Data Protection legislation in Ireland 1996 measures were introduced to enhance the protection of consumers and “data subjects”. A data subject is any natural person, not a company, from whom data (any information) is collected and stored. It is as it sounds quite broad ranging and covers all data from workplace records, to CCTV footage, to health and personal information and any correspondence. It also includes the collection of user information and behaviour through websites. One of the protections for consumer currently in place is a notification on the website to the effect that cookies are being used by the website operator. If the user continues to interact with the website their consent to data collection was deemed valid. With the enactment of the GDPR however this protection of consumers was enhanced in a number of ways.

The growth of social media and smartphones prompted a stronger need for vigilance on the part of the data collectors as these devices use a number of measures to collect user behaviour data such as “like” buttons (widgets) and location tracking through Apps. These methodologies are what the GDPR is attempting to balance in the interests of consumer protection.

For example, some of new measures are:

• Cookies must have a life span. The time they operate on a user’s computer must be be proportionate to their objective.
• There must be periodic renewals of consent to cookies. In the modern context this is why we see cookie notices popping almost every time a website is revisited.
• Consent Management Systems, specific programs designed to record the granting of consent by each website user, must themselves procure consent to store this information and renew this consent every six months at least.
• “First-party” analytics, analytics carried out the website owner for their own purposes are not deemed essentially a privacy risk. However, third party analytics i.e. those carried out by parties on the same website for third party commercial purposes are deemed a privacy risk and the recording of valid consent must be evidenced.
• Website owners should always ensure that they have a written agreement, which can be in electronic form, in place in the case of widgets such as “share” buttons and “like” buttons where the data is being transferred to another platform e.g. Facebook. These agreements should confirm the data processing relationships with the third parties involved in their website, and set out the responsibilities and liabilities arising from such relationships. In other words under GDPR which party is the “Data Controller” and which is the “Data Processor”.
• Any website or APP collecting location data and cross referencing this with other personal data, as is common with smartphones and their Apps, must complete a form of Data Processing Impact Assessment, known as a DPIA

More detailed information is available in the website of the Data Protection Commissioner of Ireland.