Ireland’s DPC (Data Protection Commission) will start enforcing data protection laws concerning the use of cookies more rigorously, following an investigation that revealed widespread non-compliance.
Depending on the way they are used, cookies and other tracking technologies are considered personal data and therefore subject to the GDPR (General Data Protection Regulation).
The DPC’s report on the use of cookies found that many organisations flouted the rules.
The authority provided a six-month grace period for organisations to address their compliance practices – the deadline for which was Monday, 5 October. Any organisation found to be in breach of the Regulation’s requirements now faces strict penalties.
Why are cookies personal data?
Cookies are considered personal data when they identify an individual via their device. This will be the case when they leave traces that, when combined with other unique identifiers and information received by servers, can be used to create user profiles.
This is in line with Recital 26 of the GDPR, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.
See also:
- How the GDPR affects cookie policies
- Creating a GDPR-compliant website
- Google aims to banish third-party cookies within the next two years
The most practical way of meeting your cookie requirements is to treat it in the same way as the GDPR’s consent requirements.
That doesn’t necessarily mean that consent has to be given explicitly. However, the must be a clear positive action and you must be confident that users understand the relationship between their actions and the information that the website collects.
Many organisations fell into the trap of assuming that a user that clicks ‘Okay’ on a splash page has provided consent, but regulators have made it clear that users must be able to easily enable or disable non-essential cookies.
Meet your GDPR compliance requirements
The DPC’s crackdown is another reminder that the GDPR is not going away, and it’s essential that you implement the necessary measures.
You can make sure your organisation is meeting its compliance requirements by taking our Certified GDPR Foundation Training Course.
This one-day course is delivered by an experienced data protection expert, and provides a comprehensive introduction to the Regulation and its rules.
It is ideal for managers who want to understand how the Regulation affects their organisation and employees who are responsible for GDPR compliance, and is available in a variety of forms, including online and self-paced.
