Entrance to RPC building - dark

Major finance, retail and media companies targeted in Irish “cookie” sweep

Published on 21 January 2020

How does the Irish Data Protection Commission (DPC) monitor whether websites are compliant with data protection law?

The key takeaway

If your website contains non-essential cookies, ensure that you obtain valid consent from users. 

The background

The DPC is undertaking a review of websites accessed by Irish consumers. Its review focuses primarily on ensuring that the use of “cookies” and other “plug-ins” is compliant with data protection law.

The DPC is assessing the compliance of certain websites with the ePrivacy Regulations and the General Data Protection Regulation (GDPR). In particular, the DPC is focusing on whether valid consent for the use of cookies has been obtained from consumers. 

The review will initially focus on a limited number of websites (the full details of which have not yet been disclosed), although the DPC has stated that the review may subsequently be extended.

The guidance

A cookie is a small file which holds data about websites visited by users. Cookies have a range of functions: some are essential to access a website, whilst others are non-essential (for example, they might collect data for targeted advertising). In order to use a non-essential cookie it is necessary to obtain the consent of the user.

When cookies collect personal data, the e-Privacy Regulations and GDPR are to be read in conjunction. This means recognising the higher standard of consent. The consent given by the user must be freely given, informed, clear, unambiguous and demonstrated by an affirmative act. 

Why is this important?

The DPC has stated that it may conduct formal probes into issues identified during its review. Fines under the GDPR can be up to the greater of 4% of global annual turnover or €20m. Whether you are operating your website in Ireland or elsewhere in the European Union, the requirements in place are the same. 

Any practical tips?

If your website uses non-essential cookies, make sure that you obtain valid consent. Whilst it is the Irish regulator that is currently looking into this issue, these standards also apply in the UK and
across the EU. Practically, the steps to take include: 
  • providing a clear explanation of the function of the cookies – language should be non-technical and give details of how any information collected is going to be used; 
  • avoiding pre-ticked boxes, which aren’t sufficient to demonstrate affirmative and unambiguous consent; 
  • ensuring that users who do not consent to non-essential cookies are still able to access the website;
  • setting your webpage up in a way that makes it easy for users to withdraw their consent. This might mean making the original consent form accessible and amendable or providing another simple and obvious route for the user to withdraw his or her consent.