skip to Main Content

Guidance on Cookies, Tracking Technologies and Consent Requirements for Avectas Limited (“Avectas”) in light of:

(I) GDPR;

(II) Recent Case Law; and

(III) Recent Regulatory Guidance.

1. Cookies and the General Data Protection Regulation (“GDPR”)

1.1 A cookie is a small text file that is placed on a user’s device by a web server stored on the user’s browser/hard drive. Cookies are one of a number of device based tracking technologies. Other examples include local storage objects (LSOs), software development kits (SDKs), pixel trackers or pixel gifs, ‘like’ and social sharing buttons, and device fingerprinting technologies. Where we refer to “cookies” in this guidance we refer to all tracking technologies. Where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and/or other tracking technologies that may be used to target or profile individuals, then this will constitute personal data and its processing is subject to the rules set out in GDPR.

1.2  Online Identifiers/Profiles. Recital 30 of GDPR also notes that individuals (i.e. “natural persons”) may be associated with online identifiers provided by their devices, which include cookie identifiers. It notes that this may leave traces which, “in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” Online identifiers are included in the definition of ‘personal data’ in Article 4(1) of GDPR.

2. Cookies and the e-Privacy Regulations

2.1 Essential Cookies. “Essential” cookies are cookies which are “strictly necessary in order to provide an information society service” or which have the “sole purpose of carrying out the transmission of a communication” on users’ devices. Essential cookies usually last for the duration of a web session or an absolute maximum of a number of hours. If a cookie is ‘strictly necessary’, its lifespan should be proportionate.[1] Examples include but are not limited to:

a) user input cookies (e.g. to remember the goods a user wishes to buy when they go to the checkout);

b) cookies that record user’s country or language preference;

c) authentication cookies (e.g. in connection with online banking services);

d) “load-balancing” session cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers; and

e) multi-media content player session cookies, such as flash player cookies.

2.2 Please note that cookies which serve “strictly necessary” functions can still be considered non-essential if they perform any other function not strictly limited to the service requested by the user: For example, a multi-media content player session cookie that also captures or tracks audience data could then be considered to perform a “non-essential” function and would fall into the category considered below.

2.3 Non-Essential Cookies. Any cookies which do not fall into the “essential cookies” category are considered “non-Essential” types of cookies and require users’ explicit consent for their usage. Analytical cookies (e.g. to count the number of unique visits to a website) are normally considered to be non-essential cookies.

2.4 Practical Requirements. Pursuant to Article 5(3) of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the “e-Privacy Regulations”), organisations wishing to place cookies (or similar technologies such as web beacons or device fingerprinting) onto users’ terminal equipment or devices are required to do the following in respect of “non-essential” cookies:

a )provide website users with a notice explaining what cookies are used by a site or application (i.e. the Avectas Online Privacy & Cookies Policy (the “Policy”) which we have prepared for you;

b) explain what the purpose of each cookie is (covered in the Policy); and

c) obtain explicit consent from users to store such cookies (through an Avectas cookies banner/consent management platform (“CMP”).

[1] The Article 29 Working Party 04/2012 on the Cookie Consent Exemption states that a cookie that is  exempted from consent should have a lifespan that ‘is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average reader or subscriber’.

3. Consent to Cookies/Avectas Obligations

3.1 While consent from users has been a requirement for the placement of cookies since 2011, the introduction of GDPR introduced a new definition of “consent” which applies to the use of cookies.

3.2 Under GDPR and the e-Privacy Regulations, data subjects are required to be informed of: (i) what Avectas’ cookies are and what they do; (ii) their lifespan; and (iii) whether Avectas uses any third party cookies (and, if so, who the third parties are). This is covered in the Privacy & Cookies Policy.

3.3 Consent must also be freely given by way of a clear affirmative act (i.e. not coerced or made conditional on further services or benefits) and must be specific, informed and unambiguous (i.e. there needs to be a proactive step taken by the data subject in order to consent, such as ticking a box). Silence or inaction by the user cannot constitute their consent to any processing of their personal data. Consent does not need to be given for each cookie, but rather for each purpose. Where a cookie has more than one purpose requiring consent, it must be obtained for all of those purposes separately. Consent must also be distinguishable from other matters so it cannot be bundled with consent for other purposes, or with terms and conditions for a contract for other services provided.

3.4 In its Guidance Note: Cookies and Other Tracking Technologies (6 April 2020) (the “Guidance”),[1] the Data Protection Commission (the “DPC”) states that controllers must include a link or a means of accessing further information about (i) the user’s use of cookies; and (ii) the third parties to whom data will be transferred when the user is prompted to accept the use of cookies.

3.5 Users must also be able to reject non-necessary cookies and they must be able to vary or withdraw their consent easily at any time via the website (and must be informed of this right). It must be as easy for a user to withdraw their consent as to give it. The Guidance provides that if you use a cookie to store a record that a user has given consent to the use of cookies, you must ask the user to reaffirm their consent no longer than six months after you have stored this consent state,[2] after which time the user must be prompted to give their consent again. The Guidance also provides that any record of consent must also be backed up by ‘demonstrable organisational and technical measures that ensure a data subject’s expression of consent (or withdrawal) can be effectively acted on’.

3.6 The GDPR consent requirement is likely to be enshrined in the new e-Privacy Regulations, once they come into force. The above approach was upheld by the Court of Justice of the European Union in the Planet 49 decision.[3] Accordingly, this now means that (i) the consent given by data subjects should be given as an affirmative, positive action; and (ii) rejecting non-Essential cookies must also be an option.[4]

[1] Data Protection Commission, Guidance Note: Cookies and Other Tracking Technologies (6 April 2020), https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf

[2] The Guidance provides that “while the legislation does not prescribe a specific lifespan for such cookies, based on a first-principles analysis by the DPC, we consider this to be the appropriate default outer timeframe for storing the user’s consent state. A controller would need to objectively and on a case-by-case basis justify storage for a longer period”.

[3] C-673/17 – Planet49, Judgment of the Court (Grand Chamber) of 1 October 2019.

[4] The imposition of financial penalties and fines for non-compliance with cookies requirements is evident among recent regulatory enforcement across the EU. For example, in January 2022, the French regulator, CNIL, imposed fines of €60 million on Facebook, €150 million on Google and €35 million on Amazon due to their non-compliant CMPs which included issues such as placing cookies without consent of users on their devices/not permitting consent to be easily withdrawn. In non-tech sectors, the Spanish regulator fined the airline Vueling €30,000 in October 2019 for failing to provide users with options to accept, reject or withdraw consent to cookies in a granular way and the Belgian regulator fined a legal news website €15,000 in December 2019 for insufficient provision of information about cookies and placing cookies without user consent.

4. Risks of non-Compliance

4.1 Over the past two years or so, the DPC has been examining the use of cookies on a selection of websites across a range of sectors, to assess compliance with GDPR as well as the e-Privacy Regulations. In particular, the DPC assessed how the controllers investigated obtain the consent of users for the use of cookies and other tracking technologies. Its findings were published in a report on 6 April 2020 and resulted in publication of the Guidance. Following a six-month grace period from publication of the report and Guidance, the DPC has been actively investigating compliance in this area and has issued a number of enforcement notices on organisations for non-compliance since October 2020.

4.2 The range of enforcement tools available to the DPC includes fines of up to 2% of turnover or €10m under Article 31 of GDPR. In addition, the DPC has indicated that it intends to invoke its rights to prosecute under Regulation 17(4) of the e-Privacy Regulations for failure to comply with enforcement notices. Personal liability/fines for directors may also apply under the e-Privacy Regulations, where directors of a non-compliant organisation fail to understand and mitigate the risks involved.

4.3 Regulation 17(4) provides the DPC with the power to issue enforcement notices. Where the notice party fails to comply with the enforcement notice, the DPC can then pursue prosecution (reg. 17(10)). This is a summary offence subject to a Class A (up to €5,000) fine. Where compliance is the responsibility of a body corporate then, pursuant to Regulation 25, the offence can be attributable to an officer of the corporate. “Officer” is defined under Regulation 25 to include a director or secretary but also a manager or a person purporting to act in any such capacity. Members are also specifically included in circumstances where the members manage the affairs of the corporate body. Enforcement notices are also published in the DPC’s annual report so they pose a risk of negative publicity and reputational damage.

4.4 It is therefore important that the Avectas Policy, cookies banner and CMP are kept under review in line with the Guidance (and any updates to it) and as advised in this note, particularly where new functionality is introduced on the website or other revisions or updates that could result in additional non-Essential cookies being deployed. See further specific details below.

5. Avectas Privacy & Cookies Policy/Cookies Banner/Recommendations

5.1  Avectas needs to ensure that clear information about how cookies are used and how users can make decisions about the cookies are easily accessible to users through the Policy. Prior to giving consent, users should be provided with comprehensive information about the cookies being dropped, in order to meet the transparency requirements of Articles 12 to 14 inclusive of the GDPR. The Policy should explain: (i) the duration of cookies; (ii) the purpose of cookies and how they are used; and (iii) whether there are any third party cookies and, if so, name the third parties and what their cookies are used for. As per Clause 2.2 above, we would recommend that the duration is also included for non-essential/strictly necessary cookies. An effort should be made to ensure that the description of cookies is transparent and understandable to users. If a long, exhaustive list risks causing confusion, a general overview of the types of cookies used may be more appropriate.

5.2 The Guidance recommends a two-step approach for the cookies banner/CMP: As a matter of good practice, an outline of the fact that consent to the use of cookies for specific purposes can be requested or notified in a first layer of communication on the website. A second layer of information may then be used to provide more detailed information about the types of cookies, with options for the user to opt in or to accept or reject these cookies on a per category basis (e.g. strictly necessary, analytics, advertising, marketing, targeting, etc). As per the above, only strictly necessary cookies can be pre-enabled. The user must opt in to all of the other categories. Any third party cookies should also be stated to be such and the third parties identified. This is covered in the Policy.

5.3 At the moment, the cookies banner on Avectas’ website is not compliant with the requirements outlined in the memo above for the following reasons (i) the cookies banner refers to the fact that Avectas uses cookies “to improve user experience”, but only lists ‘Strictly Necessary’ cookies, whereas all non-essentials cookies deployed on the website should also be listed by category (i.e. performance cookies, functional cookies etc); (ii) there is currently only an option to ‘accept all’ or ‘decline all’ cookies whereas users should be given an option to accept or reject each category of non-essential cookie used on the website; (iii) the link to the existing cookies policy is not operational; (iv) the ‘accept all’ button is currently highlighted green which constitutes ‘nudging’ the user to opt to click this button which is not compliant with guidance in this area; and (v) the ‘About Cookies’ section on the CMP provides that users can change their consent to cookie usage at any time on the Privacy Policy page. It must be as easy for users to withdraw their consent to cookies usage as it was to provide same, so users should have the option to click into the CMP on the website at any time and toggle-off or untick a tick-box to withdraw their consent to the use of some or all of the non-essential cookies.

5.4 We are often asked for examples of good cookies banners, CMPs and pop-ups which have been endorsed or approved by the DPC. Unfortunately, the DPC is not prescriptive as to the exact wording to be used in these items, once the criteria set out above are met and the Guidance is complied with. That being said, we refer you to the UK Information Commissioner’s Office website, the European Data Protection Board website or our own ByrneWallace LLP website as further examples of compliant practice.[1] We have also included proposed draft wording for a cookies banner by way of example below and which can be adapted to suit Avectas’ specific business requirements. As mentioned above, a link to the Policy should be provided in the banner, as best practice.

[1] This text is provided by way of example only and the wording and categorisation of cookies and their purposes should be tailored for Avectas’ specific business needs and reviewed by its website developers/IT Department to ensure that the necessary website functionality is in place to back up the statements being made and that the statements themselves are comprehensive and accurate.

6. Sample Wording for Cookies Banner

 “A cookie is a small file of letters and numbers that we put on your computer if you agree. We use necessary cookies to enable you to move around our website and use its features. You may disable these cookies by changing your browser settings, but this may affect how our website functions.

We would also like to set optional analytics cookies to help us improve our website, by collecting and reporting information on how you use it [to enhance site navigation, analyse site usage and assist in our marketing efforts]* OR [to recognise and count the number of visitors and to see how visitors move around the site when they are using it. This helps us to improve the way our website works, for example by ensuring that users are finding what they are looking for easily.]* However, we will not set these cookies unless you enable them by using the [Cookies Settings]** button. Using this tool will set [a cookie/cookies]*** on your device to remember your preferences.

You can withdraw your consent at any time by [accessing the [Cookie Settings] link at the bottom of this webpage].**** For more detailed information about the cookies we use, see our Privacy & Cookies Policy attached {attach/refer to link}

* examples only – to be tailored according to the specific purposes

** amend as necessary

*** website operators/IT Dept to confirm

**** amend as necessary

***** assumes one document only

7. The draft e-Privacy Regulation

7.1 The e-Privacy Regulations referred to above will eventually be repealed and replaced by a regulation for ePrivacy (the “Regulation”), currently in draft form, which will apply across the EU region and is expected to complement GDPR. The Regulation seeks to protect confidentiality of electronic communications data and to modernise definitions of such data, and like GDPR, will apply where processing takes place outside the EU but the end user is located within the EU. Progress on the Regulation has been slow since it was initiated in 2017 but as of February 2021, legislative impetus has been revived by the European Council and it is currently under discussion by the European Parliament and the Council of Ministers.

7.2 The most recent draft of the Regulation includes provisions to mitigate “cookie consent fatigue” whereby an end user will be able to give consent to the use of certain types of tracking cookies and other identifiers in their browser settings. Software providers will be encouraged to facilitate this function to enable end users to provide and withdraw their consent. However, consent will continue to be subject to periodic review and where an end user expresses directly a consent preference that differs from the browser or software settings, that direct expression from the end user must prevail over such settings. The current draft Regulation excludes a limited number of non-essential cookies from the consent requirement in certain circumstances. For example, these may include cookies which provide for a service specifically required by the end-user; audience measurement or cookies deployed for security purposes; certain single-session cookies that track the user’s input when filling in online forms; user authentication session cookies; and “shopping basket” cookies that track the items a user has placed into their virtual cart.

7.3 It remains to be seen when the Regulation will be adopted and what the final text will look like. Once adopted, it will enter into force and must be complied with 24 months later. This should be closely monitored by all website and app operators.

8. CONCLUSION/PRACTICAL REQUIREMENTS

(a) The cookies used by Avectas should be examined in order to determine which cookies are: “essential cookies”; (ii) “non-essential cookies”; and (iii) third party cookies, respectively, and the duration and purpose of each cookie and this should be covered in the Policy (Cookies section);

(b) A GDPR-compliant cookies banner reflecting the points raised above should be put in place on the Avectas website to reflect these requirements (the Policy should be linked through this banner);

(c) Prior to users consenting to non-essential cookies, they should be provided with clear and comprehensive information about the types of cookies used on the Avectas landing page (through the Policy);

(d) No non-Essential cookies should be “dropped in” (or otherwise enabled) until after users have consented to them by category and users should be given control over the non- Essential cookies which are placed on all of their equipment;

(e) Users must be able to vary and/or withdraw consent at any time in as easy a manner as the consent was initially provided (e.g. see “cookie cutter” icon on the websites/banners cited above);

(f)   If Avectas uses a cookie to store a record that a user has given consent to the use of cookies, it should limit the length of time such consent is valid for no longer than six months (i.e. the user should be prompted to renew consent after this period);

(g)  where a CMP records users ‘consent state’ or withdrawal, this record should be retained by Avectas as controller as part of its record of processing activities under Article 30 of GDPR; and

(h) Avectas should regularly review, and where necessary, update its Policy to ensure that it is accurate (i.e. at least annually or more often where required).