• Compliance

  • Ireland

  • Cookie banner

New Irish cookie legislation - are you ready for the October 5th deadline?

September 11, 2020 by Amy Arnell

The Irish Data Protection Commission (DPC) recently issued new guidance on the use of cookies, highlighting a number of important changes in terms of cookie consent. The deadline for compliance is the 5th October, otherwise the DPC warns it will take enforcement action in the form of fines. Worried about what this means for your company, or confused about what the main changes are? Carry on reading, or schedule a demo with a DPC expert at Didomi

 

Summary 

 

 


 

Introduction 

 

What are these changes and where did they come from? During the second half of 2019, the DPC undertook an investigation into cross-sector levels of cookie and other tracking technologies compliance on Irish websites and apps. They were shocked with their findings. 

 

Why? Because roughly two thirds of publishers were incorrectly relying on ‘implied consent’ for the setting of non-essential Cookies. Moreover, the majority of websites made it deliberately difficult for users to withdraw or personalise their consent preferences. Finally, almost all websites set essential and even non-essential cookies immediately as the user landed on their website/app, without first collecting their consent. 

 

The DPC does admit that “it is unlikely that first-party analytics cookies would be considered a priority for enforcement action”. However, does your website/app use third-party cookies? If it does, you’re going to be the DPC’s main target. 

 

Worried about what this investigation means for your business? Carry on reading to find out how you can become compliant, or let Didomi ensure compliance for you, by scheduling a demo with a member of our team.

 

DPC

 

What are the most important changes? 

 

The DPC states that cookie consent must conform to GDPR standards, namely that consent is “freely given, specific, informed and unambiguous indication”. But what does this really mean in practical terms? 

 

Implied consent is unacceptable. 

 

First of all, consent must be specific, meaning that implied consent is unacceptable. For example, language such as “By continuing to use this site, you agree to the use of cookies” is not permissible, nor is consent by scrolling. 

 

 

DPC (1)

 

Pre-checked boxes and sliders set to “on” as default are unacceptable.

 

In addition, consent must be unambiguous, meaning that pre-checked boxes and sliders set to ‘on’ as default are non-compliant. This also follows the October 1st 2019 Planet 49 judgement made by the Court of Justice of the European Union, which declared that pre-ticked check-boxes authorising the use of cookies and similar technologies do not constitute valid consent under the e-Privacy Directive.

 

DPC (2)

 

Cookie consent lifetime is 6 months 

 

Finally, an important element to bear in mind is that the cookie consent lifetime is 6 months. This means that once you have collected consent from a user, you must re-collect it after 6 months. Again, this ensures that consent is freely given and informed, giving users more choice. 

 

DPC (3)

 

Examples of Cookie Consent Banners 

 

Non-compliant banner 

 

As you can see here, the user has no choice but to accept the cookies. There isn't even an accept button, the "x" assumes consent. This does not conform to DPC or GDPR guidelines which state that consent must be freely given, specific, informed, unambiguous, as this does not constitute an unambiguous positive action. 

DPC (4)

 

Compliant Banner 

 

As you can see here, the user has real choice. They are not “nudged” into accepting cookies, and are given the opportunity to consent on a granular basis.  The Guidance says that if you use a button with an “accept” option then you must give equal prominence to a “reject” option, or to one which allows them to manage cookies and brings them to a second layer in order to do that by cookie type and purpose. This is exactly what the Didomi banner does. 

 

DPC (5)

 

How can Didomi help? 

 

So, in summary, users must have real choice, must be aware of the purposes, and must be able to withdraw their consent as easily as they gave it. 

 

Interested in more information on Irish consent regulation? Check out our blog post on the topic here

 

Want to ensure compliance? Schedule a demo with Didomi today, in which we can investigate whether your website/app is currently compliant, and, if not, ensure compliance before the October 5th deadline. 

 

Looking forward to hearing from you! 

 

DPC (6)

 

The Leading Consent and Preference Management Platform

Schedule a demo