NOTES ON DPC GUIDANCE AND REPORT ON COOKIES – 15th April 2020
In respect of the overall guidance, the DPC emphasises that it is essential to ensure that your CMP is properly installed with effective tag management integration, that implementation of valid consent is as per the GDPR definition (see below) and is up to date with the tracking on your site/app.
Cookies and tracking technologies
- Cookie lifespan should be proportionate to their function.
- Cookie regulations apply to all types of trackers (Local Share Objects, Software Development Kits, etc.) and to access/storage irrespective of whether personal data is involved.
Consent & exemptions
- Consent is required for access/storage irrespective of whether personal data is involved.
- The standard for valid consent is the one defined in GDPR (freely given, specific, informed and unambiguous).
- Two exemptions (see EDPB Opinion 04/2012): communication (cookies to facilitate communication over a network) and strictly necessary (to deliver a service requested by the user).
- Advertising cookies, analytics cookies and location trackers require consent.
Obtaining valid consent
- Consent cannot be bundled. Multi-purpose cookies require multi-purpose consent. Pre-checked boxes are not allowed.
- A layered approach to User Interfaces is accepted.
- 1st layer: request consent and list purposes and contain “accept” and a call to action with other options. Calls to action should have equal prominence and not make use of confusing colours or patterns.
- 2nd layer: more detailed information allowing granular, per-purpose choices. A link to further information about cookies use and third parties must be available.
- Implied consent through e.g. scrolling, is not valid.
- Consent must be as easy to withdraw as to give, and be reaffirmed every 6 months.
- CMPs can be used and must keep records of user choices. CMPs must do what they purport to do and accurately reflect user choices.
- Consent through browser settings does not meet the requirement of clear and comprehensive information.
DPC Observations on Bad Practices in Cookie Report
- DPC called out cookies being dropped on initial page load, prior to consent being collected.
- Pre checked boxed which opt users into marketing/analytic cookies by default and without consent.
- Cookies, e.g. marketing and analytic cookies, being positioned as “essential” and therefore exempt from ePD consent
- Colour coding (e.g. Green/Red) to signal compliance and toggles without explanatory text were considered to be confusing by DPC
The DPC is providing 6 months for companies to come into compliance with the accompanying guidance provided with the Cookie report after which more formal enforcement can be expected.