Irish Businesses Facing Penalties as Data Protection Commission’s October 5th Deadline Lands

Businesses all over the country were scrambling last week to make the necessary adjustments to their websites as the Oct 5^th deadline for online cookie compliance[1] fast approached. But by today businesses will be expected to have complied, and it’s unlikely that the many businesses that didn’t devote the necessary resources to this project will have gotten there on time. However, this should not dissuade them from taking action now, as there are significant penalties for non-compliance under GDPR legislation. This is the advice of the ACOI (Association of Compliance Officers Ireland) who say that implementation of the Data Protection Commission’s (DPC) guidance has significant implications for Irish businesses, particularly those SMEs whose resources may be already fully focused on surviving Covid and preparing for Brexit.

Michael Kavanagh, CEO of the ACOI explained,

“The ending of the grace period for implementing the DPC’s guidance on cookies and tracking technologies (See Appendix) is today October 5^th, and anecdotal evidence has suggested that for many organisations, this has been overlooked, with energy, time and resources being placed instead on responding to COVID and Brexit. But it hasn’t gone away – and even though the business environment has never been more challenging, compliance is expected and will be enforced. With GDPR, the DPC has the power to impose significant sanctions on businesses that don’t comply, for example, if it was proven that a business did not gain affirmative consent from consumers using the site, then then they could potentially be fined a percentage of their turnover”.

In late 2019, the DPC carried out a cookie sweep of thirty-eight organizations, with a view to understanding current levels of compliance in Ireland[2]. The ACOI say this exercise raised significant issues across a range of areas. Some of the issues highlighted included websites setting cookies immediately on the landing page, in many cases for non-necessary cookies. Others misclassified cookies as necessary or strictly necessary, while consent was found to be bundled in many cases. In April 2020, the DPC then issued a guidance note which is intended to ensure greater levels of adherence across Irish organisations, and businesses were given 6 months to bring their sites in line with these new practices.

Mr. Kavanagh went on to comment,

“The implications for Irish businesses are considerable and extend beyond meeting the DPC’s list of requirements. For marketing and sales teams, the need to receive consent before deploying analytics cookies will effectively set a new baseline for their website metrics. A significant number of users are unlikely to opt-in, making it difficult to accurately compare year-on-year performance across the site. Customer service departments relying on website chatbots to deal with consumer queries must assess how to cater to customers who choose not to opt-in to this function. Many companies will need to implement a consent management platform (CMP) if one is not already in place. It will not be feasible to manually oversee aspects such as the requirement to reaffirm consent every six-months. Lastly, any firms still relying on pre-ticked forms of consent must amend their practices soonest. Compliance professionals will need to consult widely across the business to ensure key departments and stakeholders are aware of the upcoming changes, and to minimise the potential impact on day-to-day operations”.

The ACOI advise that all businesses should give high priority to this issue for the remainder of the year.

Appendix – Key Considerations from the DPCs Guidance Notes

1. Organisations must obtain consent to store or set cookies.
2. The rules apply even where cookies do not store personal data. ePrivacy focuses on the confidentiality of all electronic communications. If personal data is stored, the additional requirements of GDPR apply.
3. Consent must meet GDPR standards, being freely given, specific, informed and unambiguous. It must be as easy for a user to withdraw consent as it was to provide it in the first place.
4. Pre-ticked boxes and bundled consent, where approval is sought for a range of processing activities, are not allowed.
5. Continuing to use a website or scrolling through a landing page do not imply consent. It must be an affirmative action by the consumer such as ticking a box.
6. Default settings on a browser do not constitute affirmative consent.
7. Analytics cookies require consent. However, the guidance states it is unlikely first-party analytics will be considered a priority for enforcement action.
8. Consent must be reaffirmed every six months. It is worth noting a similar view has been taken by the French supervisory authority.
9. Businesses must have clear retention periods for each cookie. Retaining cookie data indefinitely does not meet the GDPR’s requirement for proportionality.
10. The guidelines do not recommend a particular method for obtaining consent. They recognise that website cookie banners are a typical way of achieving this objective.
11. Companies should avoid using language or interfaces that nudge the user to accept cookies.
12. The Commission recommends having both a cookie policy and a privacy policy, as these meet the requirements of ePrivacy and GDPR respectively.
13. The guidelines apply to other tracking technologies as well as cookies. For example, pixel trackers, like buttons and social sharing tools.
14. Companies must be aware of any data shared with third parties, for example through social tools, and put in place data processing agreements where necessary.
15. Finally, every effort should be made to present cookie banner information in a clear and accessible manner.