Cookie Consent Update 2020
Following the Irish Data Protection Commission’s (DPC), summarised report that was published on the 6th of April, 2020, we also wanted to inform our customers and web users that the EU Cookie Directive is now in effect since September 6th, 2020.
What you need to know
- The standard consent required by the GDPR is even higher now. This means that the consent must be clear, freely given, specific, and unambiguous.
- No non-essential cookies/technologies are not set on landing pages of your site or app.
- Obtaining a user’s consent via the use of a cookie pop-up or banner is acceptable on condition that:
- Wording such as “by continuing to use the site, you consent to the use of cookies” is no longer acceptable and the cookie pop-ups must outline that you are requesting consent for the use of cookies.
- The cookie pop-up is designed in a neutral way. If there is an“accept” and “reject” button, they must be of equal prominence, and if there is an option which brings users to the second layer of information, it should allow them to manage their cookie settings.
- The second layer of information must provide more detailed information about the types and purposes of cookies or other technologies being set, and the third parties who will process information collected when those cookies and similar technologies are deployed. It also must provide users with options to accept or reject such cookies or similar technologies by cookie type and purpose. For example, checkboxes must not be pre-checked or sliders set to “on” by default. Checkboxes or sliders should be clearly marked as “on” or “off”, so users do not have to guess at their functionality.
- Users must be able to change their cookie preferences at any time.
- A cookie's lifespan of storing records must not exceed the timeframe of 6 months. A new consent must be obtained after that period.
- Any record of consent must be backed up by demonstrable organisational and technical measures that ensure a user’s expression of consent can be effectively acted on.
- Analytics, targeting, and marketing cookies require a user’s prior consent. That excludes first-party analytics cookies that are considered potentially low-risk.
- You must examine how the third parties use cookies/similar technologies on their website or app as “joint” data controllers or data processors. You need to examine any issues that may arise from the use of those third-party technologies, and if necessary, put in place a data processing agreement that reflects on the actual facts of the processing.
What you need to do
Now that you know more about what the new EU Cookie Directive means according to the DPC's report, there are a number of actions you can take to prevent any potential compliance issues.
- You must review your privacy policies and cookie compliance to ensure that they are following the EU’s Cookie Directive.
- You must remove any cookies that are not in compliance.
- You should categorise your cookies in a clear, informative, and organised manner. See Aphix's cookie consent pop-up below.
- You must allow users to consent to only the cookies they wish. You can not just inform them that the site uses cookies and that by continuing browsing the website they are agreeing to your cookies policies.
If you are still not confident as to what you need to do or don’t have the time to do it, you can always hire a marketing agency like MOR Digital to implement these changes for you before it’s too late.
Summary
Whether we talk about website security, eCommerce security, or any type of security for that matter, It is clear that security is of utmost importance and everyone should follow best practices and be compliant with that category’s rules and regulations.
The Data Protection Commission made it clear and expects organisations that own a website that uses cookies and technologies to gather user data comply with the current cookie law rules at all times.
There was a six-month window for everyone who owns a website that uses any type of cookies to get in compliance with the DPC’s new cookie guidelines.
Irish organisations who failed to do so within the specified timeframe may face the consequences and the DPC may take action against them.