On the 6th April, the DPC issued a Guidance Note (GN) on Cookies and other tracking technologies. This Guidance note follows an examination by the DPC of the use of cookies and other similar technologies on a selection of websites across a range of sectors. The DPC will allow a period of 6 months from the publication of the guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.
ePrivacy Regulations and GDPR
The GN outlines the requirements under the ePrivacy Regulations 2011 and GDPR for the use of cookies and other tracking devices for the processing of personal data, including the law on cookies and it’s purpose, requirements for consent, provision of “clear and comprehensive information” about the use of cookies and the requirements for cookie banners.
Third Party Processors
Consideration is also given to the need to assess relationships with third parties whose assets are deployed on a website, for instance the use of “like buttons”, plugins, widgets, pixel trackers or social media sharing tools. There is a requirement to be aware of the information that is collected and disclosed to these third parties, in particular engaging a third party to process payments where a controller-processor contract will need to be in place with that organisation to meet the requirements of Art 28(3) of the GDPR.
Record of Processing Activities
It is important to note that it is not necessary that a cookie contain personal data in order that the user’s consent be required to set it. Under Art 30 of the GDPR, there is a requirement to maintain a comprehensive record of each specific type of processing as part of your record of processing activities, which includes processing relating to cookies and other tracking technologies.
Special Categories of Personal Data
If your organisation is processing special categories of personal data through information derived from cookies, this is subject to stricter rules under Art 9 of the GDPR. The only legal basis your organisation is likely to have for the processing of any special category data derived from the use of cookies or other tracking technologies is the explicit consent of those individuals whose data you are processing.
Storage Limitation Principle
The DPC also noted that the lifespan of a cookie should be proportionate to its function. This is in line with the storage limitation principle under the GDPR. Organisations should check their current practices and make the necessary changes to comply with this principle.
Location Tracking
The GN also outlines the requirements regarding the use of cookies and other technologies to track the location of a user i.e. the need for consent. The Court of Justice of the EU recognised the sensitivity of location data because it can be used to derive very precise information about individuals and their behaviour, including daily movements and activities, places of residence, social relationships and the social environments they frequent.
Now that the DPC has issued guidance, organisations should ensure that their approach is compliant.
Our Data Protection Support Services team can assist you in implementing a successful data protection programme, achieving and maintaining compliance with EU data protection requirements while delivering security, productivity, risk management and cost-efficiency benefits. View our GDPR Service Offering for more information.
To read the guidance note, click below:
For a summary of the DPC findings and recommendations, see report below:
