Major finance, retail website operators targeted in Irish 'cookie' sweep

5 November 2019 12:54pm

1 November 2019, by Vesela Gladicheva

Major finance, retail and media companies in Ireland are facing scrutiny from the country's data-privacy regulator over whether their use of cookies complies with data-protection laws.

Still in its initial phase, the sweep, which also covers other tracking technologies, could be extended to more website operators and lead to investigations.

The sweep is "cross-sector and cross-size," Jennifer O'Sullivan, deputy commissioner at the Irish Data Protection Commission, told MLex.

It entails checking compliance with both the EU's e-privacy directive on keeping communications confidential and the General Data Protection Regulation, O'Sullivan said.

The GDPR will apply in situations where the regulator comes up against questions around obtaining "valid consent" from users, she said. The GDPR, which took effect in May 2018, allows EU privacy regulators to impose fines of up to 4 percent of a company's annual turnover.

O'Sullivan said the Irish check isn't a "quick job" and that it could lead to formal probes, if the watchdog comes across violations.

“Cooperation has been requested by the [Irish] DPC from controllers across a broad range of sectors, including the financial, retail, sports, lifestyle and media sectors, and the public sector,” the regulator told MLex. “The sweep is focusing on websites at present but we have not ruled out looking at apps at a future point,” it said.

The enforcer is understood to be initially examining a small number of websites, with the possibility of then opening up the sweep to other operators.

Cookie consent

Cookies are small text files that have a wide range of uses, from storing someone’s language preference on a website, to enabling the large-scale tracking and profiling of people across the Internet. They can be set by the operator of a website or by third-party services that the website owner allows to, for example, present other information, run ads or provide analytics.

The Irish regulator's sweep focuses on how companies obtain consent from visitors to their websites for the use of cookies and other tracking technologies such as pixels and plugins. This is prescribed by the EU's e-privacy directive, which was transposed into Ireland's 2011 e-privacy regulations. That EU law is currently being revamped.

Where the use of cookies and tracking technologies involves the processing of personal data, then the e-privacy regulations must be read together with a higher standard of consent set by the Irish Data Protection Act 2018, which gave effect to the GDPR. It means that the consent companies obtain from users must be valid — a clear, affirmative act, freely given, specific, informed and unambiguous.

User consent is required before setting non-essential cookies, used for access to information on a user’s computer or mobile device. The data controller has to clearly tell users about the technology and why the website operator is using it.

Last month, an eagerly awaited EU court ruling said the use of pre-ticked boxes by websites to obtain consent for cookie tracking does not amount to a person giving free and informed consent under the EU’s strict data-protection rules.