The DPC Report and Guidance set out the following recommendations (and clarifications) to ensure compliance with the rules relating to cookies:
- Consent is required for the setting of cookies on a website, and the GDPR level of consent must be met (i.e. clear affirmative action), whether the cookies collect personal data or not.
- Pre-checked boxes should not be used for obtaining consent for the setting of cookies.
- The cookies rules draw a distinction between “necessary” cookies that are required to deliver a service (e.g. to authenticate the user or remember preferences) and “non-necessary” cookies (e.g. cookies used for advertising purposes that are not strictly required to deliver the service).
- Certain consent exemptions are provided for in Regulation 5(5) of the ePrivacy Regulations, but where a website operator is relying on the “necessary” or “strictly necessary” exemption then it needs to be sure that the criteria set down in the ePrivacy Regulations are met and that the lifespan of the cookie being set is proportionate.
- Consent cannot be bundled. It must be obtained for each purpose that cookies are set (e.g. analytics, targeting and marketing), although it does not need to be obtained for each cookie.
- Consent should be limited to a period of time. Whilst the ePrivacy Regulations do not prescribe specific lifespans for cookies, the DPC recommends that organisations ask users to reaffirm their consent no longer than six months after it has been obtained.
- Users may be provided with a consent management platform (CMP), which enables them to accept or reject cookies used for different purposes, and to vary or withdraw their consent choices at any time. One design solution is a cookie button (or a “radio button“) which reveals sliders or ON/OFF options. The settings of any sliders on CMPs should be clearly labelled ON or OFF, and users know how to ACCEPT and REJECT cookies. Using coloured buttons such as green for ON, and red for OFF, may not provide sufficient clarity and may be confusing for those with colour blindness.
- Links to privacy and cookie policies should always be visible and accessible to users, without them having to consent to cookies or dismiss a cookie banner.
- Non-necessary cookies should by default be set to off.
- A cookie banner that merely gives the user the option to click “accept” to say yes to cookies and which provides no other option is not compliant. This means banners with buttons that read “ok, got it!” or “I understand“, and which do not provide any option to reject cookies or to click for further, more detailed information, do not meet the standard of consent required. Cookie banners must also be designed in such a way that they do not nudge users into accepting cookies. An option to reject must have equal prominence in any banner.
- Where cookies involve the processing of special category data based, for example, on inferences drawn from a person’s browsing patterns on a website, or linked data from other sources, consent to such cookies must be explicit, and the controller must ensure that it has a lawful basis to process such data.
The Report and Guidance provide an important reminder to website operators of the importance of keeping privacy and cookie policies accurate and up-to-date, and in compliance with data protection law and regulatory guidance.