‘The DPC will use its powers under the GDPR and the Data Protection Act 2018 to initiate inquiries and investigations and to carry out inspections where required’ .
Cue panic in the coming months.
Every website collects cookies. This post explains the regulations and detail behind this statement. But more importantly it cuts through all the legalese and technical explanations and sets out the three main steps you need to take to make sure your cookies permissions are done the right way.
In April this year the Data Protection Commission published a report along with guidance on cookies. Data Controllers were given 6 months to get their cookies in order. The official line is that after 5 October 2020, the DPC will commence enforcement action against controllers who fail to comply.
Cookies are created when you visit a website to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customisation. The website stores a corresponding file to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address. Here’s a great 3 minute explainer if you want to learn more.
Even the use of Google Analytics means you’re collecting cookies and you need to get consent to do so. If you want to manually check what cookies your website is collecting you can click on the padlock in your Chrome browser like this:
If you’re here to just get the lowdown on what you need to do to stay on the right side of the cookie law you need to know 3 things.
Simply put you shouldn’t be able to scroll until you’ve dealt with the cookie banner. Continuing on to view the website doesn’t count as consent. If you’re not managing your own website your web developer should be able to sort this one for you. Web Developers are not GDPR experts and they may just give you a generic cookies solution that doesn’t tick all the boxes.
Some cookies are needed to make your website work— functional cookies. Some are put there by third parties and track you as you move around the internet. A good cookies solution should split them out for you into functional, statistical and marketing.
This is the only box that can be pre-ticked and served up by default. Your website visitor can choose whether they want to accept the rest of the cookies or not. This is called consent. To do consent the right way make sure its an explicit “yes, I want these cookies”. Usually this a short description with an empty tick box such as the image below.
Next time you visit a website try just accepting the basic cookies and you’ll start to see the value of choice.
Create a separate policy, or add it to your privacy policy, detailing what you do, why you do it and how your website visitor can manage their rights. Include:
- Type of cookies
- Data which is tracked
- Time that cookies stay on a user’s browser
- Why the cookies are being used
- Where and with whom the data is being shared
How to reject cookies and change settings
Doing your cookies with a generic “Got it!” Banner is sure to raise a red flag. There are a number of cookie policy generators out there that will scan your website and get you started. Giving your website visitors the choice will gain their trust, demonstrate your professionalism and keep you on the right side of the cookies law. And if you’d rather hand it over, get in touch we can help.
Full cookies guidance from the Data Protection Commission can be found here.
The regulations governing cookies are split between the GDPR and the ePrivacy Directive.
The proposed ePrivacy Regulation will replace the 2002 ePrivacy Directive (amended 2009), which gave us the Privacy and Electronic Communications Regulations (PECR).
The ePrivacy Regulation, is a law in the making by the EU Commission. Its purpose is to ensure the “respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector” in the EU.
Once applied, the ePrivacy Regulation will replace the ePrivacy Directive which governs cookies currently.
Under the GDPR, it is the legal responsibility of website owners and operators to make sure that personal data is collected and processed lawfully. One of the most common ways for personal data to be collected and shared online is through website cookies. The GDPR sets out specific rules for the use of cookies.GDPR requires a website to only collect personal data from users after they have given their explicit consent to the specific purposes of its use.
Data Influence blogs and stories are provided for information only, not legal advice. Always consult your lawyer on legal matters.