How to ensure cookies are GDPR-compliant by the DPC deadline

28 Jul 2020

Dave McEvoy, director of Dmac Media. Image: Dmac Media

Dave McEvoy, director of Dmac Media, explains why many Irish websites are failing when it comes to cookie compliance and how they can rectify this.

With just months to go before the Data Protection Commission (DPC) begins enforcing its guidance on web cookie compliance, Sligo web design business Dmac Media has warned Irish businesses that they may not yet be compliant with the DPC’s guidance.

Published in April, the DPC guidance note on cookies and other tracking technologies gave businesses operating websites and apps in Ireland six months to bring their policies and practices in line with newly clarified advice on cookie management.

The DPC surveyed around 40 popular Irish websites last year and identified concerns among nearly all of them. Just two of the websites surveyed got a ‘green rating’, meaning that they were substantially compliant.

Dave McEvoy, director of Dmac Media, explained that since GDPR measures were introduced in 2018, most website owners are aware that their website needs a cookie message but the “vast majority” of these messages are not compliant with the law as they fail to disclose how cookies are used.

Cookies and GDPR

McEvoy added that from 6 October 2020, companies that have not brought their cookies in line with regulations could face financial penalties.

In the DPC’s guidance, it explains that cookies (which are small text files stored on devices such as computers, mobile or IoT devices) serve a number of important functions, such as keeping track of items in an online shopping cart, or helping web pages to load faster.

The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier or an email address, as well as non-personal data such as language settings or information about the type of device being used to browse a site. Cookies help websites to form a memory of user activity, and when a user chooses not to accept cookies, they may find that some features on certain websites are not available to them.

However, McEvoy warned that when users blindly click to accept cookies on every website they visit, they may be unwittingly agreeing to share information with a variety of advertising platforms.

“In short, cookies used for anything other than primary functionality have to have your permission to be placed on your device,” he said. “Yes, website owners tell their customers about these cookies, but they carried right on using the information incorrectly nonetheless. This goes against both the spirit and the letter of the regulations.”

How do you ensure your website is compliant?

McEvoy said that ensuring your website is compliant with new guidelines is as simple as updating the cookie message. He said that websites should not set any cookies that require consent until after the user has expressed permission.

The website needs to allow the user to reject or accept the setting without promoting one option over the other and it must give the user the ability to manage their consent options.

“The important thing for businesses is to note that they are not allowed to assume consent, nor are they allowed to sway the visitor to a yes rather than a no, when seeking permission,” he added.

“A simple permissions update will solve the issue but companies need to be aware that the deadline is looming.”

Kelly Earley was a journalist with Silicon Republic