The Irish Data Protection Commission has released a new guidance on the use of cookies and other tracking technologies.
The guidance is the result of a sweep on 38 websites in Ireland which showed that users of Irish websites “are being tracked by third parties to a significant degree across their browsing habits and daily online activities”.
Data controllers and website operators are allowed a six-month grace period to comply with the requirements before enforcements are commenced.
Read the full report here.
Six main points from the document
- All cookies require consent except strictly necessary cookies and cookies used for communication. Analytics Marketing cookies always require consent.
- Consent must be reaffirmed within 6 months and must be given to each cookie purpose (e.g. statistics, functional, marketing).
- Pre-checked boxes and implied consent is not allowed. Websites may not assume that users give consent merely by scrolling down the website or has seen information in a cookie pop-up.
- Cookie pop-ups must give users the option to decline cookies. Pop-ups only with ‘accept’ buttons are not compliant.
- Cookie pop-ups may not ‘nudge’ users into accepting cookies or make it difficult to reject cookies.