In August 2019, the Irish Data Protection Commission (DPC) commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.
The DPC chose popular websites operated by some of the most well-known organisations across these sectors. They also included controllers whose use of cookies had come to the attention of the DPC through complaints from members of the public, or through their own observations of how information about cookies and tracking technologies was presented, or appeared to be lacking, on those sites.
The purpose of the sweep survey was to request information to allow them to examine the deployment of such technologies and to establish how, and whether, organisations are complying with the law. In particular, the DPC wanted to examine how controllers obtain the consent of users for the use of cookies and other tracking technologies.
They did not undertake a broader examination of the adtech industry or the real-time bidding advertising framework as part of this sweep as these issues are the subject of separate inquiries by the DPC. Nevertheless, it was evident from the examination of the types of tracking technologies and cookies in use that advertising technology and tracking are core to the business models of many of the websites examined.
You can view the full report here.
Conclusions and recommendations
While only a small number of controllers were targeted to participate in this sweep, the examination of the 38 websites suggests that users of Irish websites are being tracked by third parties to a significant degree across their browsing habits and daily online activities.
Lacking even basic information or the ability to give unambiguous consent for the placement of tracking technologies or cookies on their devices, most ordinary users will not be aware of the extent to which they may be tracked across their devices at home and at work, and across their browsing, reading and social habits.
While they may not be tracked by name, the ability to track them by means of unique identifiers set through cookies or other technologies means they are being targeted as individuals and such targeting and/or profiling (after the point where cookies have been set) is subject to the GDPR where it may concern personal data.
Furthermore, it is apparent that websites providing health insurance and other health related information may – inadvertently or otherwise – be sharing special category data with third parties in the adtech industry.
An investigation by the Financial Times in the UK in November 2019 found that some of the UK’s most popular websites were sharing special category data, including medical symptoms, diagnoses, drug names and menstrual and fertility information with dozens of companies, including Google, Amazon, Facebook and Oracle, as well as with lesser known data brokers and adtech companies.
The ICO confirmed to the Financial Times its concerns about the processing of special category data in online advertising, as well as “the role that site owners and publishers play in this ecosystem”.
It is notable that at least one of the health insurance websites examined in this sweep uses third party cookies from Hotjar to track user behaviour on the site. Ostensibly, this is to provide it with information on how people navigate the site and the menus.
However, Hotjar may also capture video footage of precisely how a user navigates the site, including details of the text entered into boxes and search fields.
The investigation team surmises based on the information provided by these
controllers, and based on examination of their sites and the cookies being set, that similar levels of sharing of personal data may be taking place via Irish websites.
Those controllers using pre-checked boxes will need to act expeditiously to amend their interfaces, which it is clear do not comply with EU law. Some further engagement with these controllers will be required in order to draw these issues to their attention.
Ongoing and ad hoc engagement with other controllers where ePrivacy/cookies compliance issues are apparent will also be considered by the DPC.
The fact that bad practices were widespread even among companies and controllers that are household names suggests a more systemic issue that must be tackled firstly with the publication of new guidance, followed by possible enforcement action where controllers fail to voluntarily bring themselves into compliance.
A number of larger controllers referred in their responses to the ongoing negotiations at EU level on a proposal for a new ePrivacy Regulation to replace Directive 2002/58/EC.
There were some references to controllers wishing to “future-proof” their websites by adopting some of the possible new requirements that might feature in any such legislation.
It must be clear to controllers that they are expected to comply with the current regime, pending any agreement at EU level on a proposal for a new regulation.
All positive steps towards compliance with the ePrivacy Regulations will ultimately benefit all data subjects using these websites and apps. However, the underlying processing of data enabled by cookies and other tracking technologies can only be addressed as part of a much wider examination of the entire adtech industry and ecosystem.
New DPC guidance and follow-up correspondence with the controllers who took part in the sweep will emphasise the following issues:
- Controller must remove any pre-checked boxes related to the setting of
- cookies.
- Ensure that their cookie banners are designed in such a way that they do not ‘nudge’ users into accepting cookies. An option to reject must have equal prominence in any banner or user interface.
- Ensure that no non-necessary cookies/non-exempt cookies are set on the landing page.
- Examine all cookies they have categorised as ‘necessary’ or ‘strictly necessary’ to determine whether they actually meet the strict conditions for either of the two exemptions set out in Regulation 5(5).
- The Article 29 Working Party opinion 4/2012 on the cookie consent exemption is still valid and should be studied by controllers. In particular, controllers should note the A29 opinion that the risk to data protection comes from the purpose(s) of processing rather than the information contained within the cookie.
- Controllers must ensure that consent is obtained for each purpose for which cookies are set. This does not mean that consent needs to be obtained individually for each cookie, but merely for the purpose for which it is being used.
- Consent may not be bundled, i.e. an “all or nothing” approach to accepting or rejecting cookies. Users must be able to reject non-necessary cookies and they must be able to vary their consent easily at any time via the website.
- Analytics cookies, targeting cookies and marketing cookies require consent. However, first-party analytics cookies are considered potentially low risk and it is therefore unlikely that they would be a priority for any formal action by the DPC.
- If a cookie is ‘strictly necessary’, its lifespan should be proportionate. Article 29 Working Party 04/2012 on the Cookie Consent Exemption states that a cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average reader or subscriber. “This suggests that cookies that match the [consent exemption criteria] will likely be cookies that are set to expire when the browser session ends or even earlier.
- Privacy and cookie policies must always be visible and available to the user without them having to consent to cookies or dismiss a cookie banner. Non-necessary cookies should not be set prior to the user clicking on the cookie information and, where a link to a cookie policy is presented in a pop-up or cookie banner, the banner must not obscure the text of that policy.
- Users must always be able to withdraw consent or change permissions for cookies or other tracking devices. It should be as easy to withdraw consent as to give it.
- Privacy and cookie policies should be accurate and kept up to date. Using a template service to generate a privacy policy or cookie policy is a futile and cosmetic exercise. Similarly, controllers who have multiple websites must ensure that each of them has their own privacy policy which reflects the underlying reality of the processing.
- Controllers must examine the possible joint controller issues arising from the use of third-party assets and plugins. Where necessary, they must put in place controller-processor contracts, which must reflect the actual facts of the processing.
- Controllers must be aware that consent is required for non-necessary cookies whether or not personal information is processed. PII is not a concept recognised in EU law.
- The user interface needs to build in a clear option for users to change their cookie settings at any time, including where websites are using persistent cookies to store the user’s “consent state” over a period of time. This could be accomplished, for example, by means of a settings tool or so-called radio button.
- The DPC recommends that users examine the checkboxes and sliders they use to allow a user signal consent. It should be very clear which setting is ON or OFF and how to ACCEPT and REJECT cookies. A user interface with sliders set to green or red, or other colours, may not provide sufficient clarity and it may result in accessibility issues for users with certain vision impairments.
- It is possible that some controllers are using device fingerprinting technologies which were not possible to observe in the course of this exercise. To the extent that any controller uses such technologies, they should be aware that Article 5(3) of the ePrivacy Directive (and by extension Regulation 5(3) of the ePrivacy Regulations 2011) is applicable. Opinion 9/2014 of the Article 29 Data Protection Working Party on the application of Directive 2002/58/EC to device fingerprinting should be studied in that regard.
- Controllers should be aware that the use of a consent management platform will not in itself ensure compliance with the legislation. They must ensure when deploying such tools that they do, in fact, work in the manner intended and that the tools and buttons on the user interface do what they purport to do. If a user checks or unchecks preferences, these preferences must be respected and recorded, as appropriate.
- Controllers must be aware that the processing of data which occurs subsequent to the setting of cookies, particularly where it involves appending or matching any other data to an explicit profile or an identifier involves the processing of personal data. This processing is subject to the provisions of the GDPR, including the provisions relating to data subject rights.
- The DPC came across examples in the course of this sweep, and has come across further examples since, of CMP settings with non-exempt cookies set by default to on, with the choice of the user to reject these cookies by means of unchecking the box not respected. Such issues will be a priority for enforcement.