Major finance, retail website operators targeted in Irish 'cookie' sweep
1 November 2019, by Vesela Gladicheva
Still in its initial phase, the sweep, which also covers other tracking technologies, could be extended to more website operators and lead to investigations.
The sweep is "cross-sector and cross-size," Jennifer O'Sullivan, deputy commissioner at the Irish Data Protection Commission, told MLex.
It entails checking compliance with both the EU's e-privacy directive on keeping communications confidential and the General Data Protection Regulation, O'Sullivan said.
The GDPR will apply in situations where the regulator comes up against questions around obtaining "valid consent" from users, she said. The GDPR, which took effect in May 2018, allows EU privacy regulators to impose fines of up to 4 percent of a company's annual turnover.
O'Sullivan said the Irish check isn't a "quick job" and that it could lead to formal probes, if the watchdog comes across violations.
“Cooperation has been requested by the [Irish] DPC from controllers across a broad range of sectors, including the financial, retail, sports, lifestyle and media sectors, and the public sector,” the regulator told MLex. “The sweep is focusing on websites at present but we have not ruled out looking at apps at a future point,” it said.
The enforcer is understood to be initially examining a small number of websites, with the possibility of then opening up the sweep to other operators.
Cookies are small text files that have a wide range of uses, from storing someone’s language preference on a website, to enabling the large-scale tracking and profiling of people across the Internet. They can be set by the operator of a website or by third-party services that the website owner allows to, for example, present other information, run ads or provide analytics.
User consent is required before setting non-essential cookies, used for access to information on a user’s computer or mobile device. The data controller has to clearly tell users about the technology and why the website operator is using it.
Last month, an eagerly awaited EU court ruling said the use of pre-ticked boxes by websites to obtain consent for cookie tracking does not amount to a person giving free and informed consent under the EU’s strict data-protection rules.