Are your websites and apps compliant? A look at Irish cookie consent regulationJuly 1, 2020byYannig Roth
Last April, the Irish Data Protection Commission (DPC) published updated guidance on cookies and other tracking technologies. The “Guidance” was issued with a report based on a cookie audit of 38 companies, and the results of the audit were not good. The survey found that 35 of the 38 companies were not in compliance on the transparency and consent front. The Commissioner concluded that such low levels of compliance mean that ordinary individuals are unaware of the extent to which their activities are tracked online.
The Guidance reminds us that consent to cookies under Article 5(3) of the ePrivacy Directive must meet the standard of consent under GDPR. Many of the requirements of the Guidelines stem from this change in the consent standard, which is largely in line with the guidelines of other Data Protection Authorities (DPAs) in Europe. So what are the DPC recommendations about cookie consent guidance in Ireland, and how to make sure you are compliant?
The role of a consent Management Platform (CMP) such as Didomi is to ensure compliance at all times, and to provide you with customised support in order to retain your users and strengthen your relationship with them. Here’s what you need to know about cookies, legal recommendations, and the role of CMPs.
What are cookies, and when is user consent needed?
A cookie is a text file in which you can store information such as IDs and passwords, navigation history, or card numbers for payments. There are two types of cookies, first-party cookies set by the host domain, and third-party cookies set by other domains and partners. And there are three main categories of cookies: analytics, content personalisation, targeted advertisements.
— Data Protection Commission Ireland (@DPCIreland) April 20, 2020
The DPC stresses that consent must be collected before any information is collected – cookies or other tracking technologies such as pixel trackers, fingerprints, SDKs, Local Storage Objects, “Like” buttons and other social sharing tools. In fact, consent must be collected for any storage of information on a user’s device or equipment. The only exceptions are communication cookies and strictly necessary cookies.
So what is ‘consent’ you may ask? According to the GDPR, “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. In addition, “it shall be as easy to withdraw as to give consent” (Art.7.3).
In the light of these recommendations, browsers are becoming increasingly restrictive. Between July 2019 and January 2020, Firefox announced the “Enhanced Tracking Protection” by default, Apple announced the ITP2.2 Safari version, and Chrome announced cookie and tracking technologies restrictions, promising no more third-party cookies in Chrome by 2022. In this context, it is imperative for all programmatic advertisers to update and comply.
The Irish DPC’s main guidelines for cookie compliance
- Explicit consent is required: it is no longer possible to rely on implied consent (which is what two thirds of the audited companies did).
- No nudging: the ‘Accept Cookies’ button in the cookie banner should not be emphasised over the option to ‘Manage Cookies’ or ‘Reject All’ buttons.
- Clear choice of settings: banners must allow users to reject non-necessary cookies and similar technologies, to change their cookie preferences at any time, and to withdraw consent as easily as they gave it.
- Retention: consent cookies should have a lifespan of 6 months maximum, with an expiry date of a cookie that should be proportionate to its purpose.
- Third party cookies examination: it is the responsibility of each organisation to monitor third parties using cookies on their website or application.
— Data Protection Commission Ireland (@DPCIreland) June 10, 2020
How can Didomi help Irish brands and publishers?
Publishers may worry that compliance will lead to a loss of revenue, and both publishers and brands will be fearful of a drastic drop in consent. Indeed, there will probably be repercussions on consent rates (small or considerable, depending on your partners and the measures you put in place). All parties will be impacted, and everyone must prepare for a certain amount of change.
But, don’t worry: this is why Didomi is here to help you. Through the use of specific tools such as A/B testing and bespoke CMPs, Didomi will make sure you know exactly what’s happening on your website, allowing you to optimise on consent collection and build trust with your consumers.
A/B testing or finding the best “look and feel” for your banner to connect with your customers will be essential. But there will be one fundamental change that is positive, namely that giving more choice, control and freedom to users is a great opportunity for you to build brand confidence. By building better communication channels, you build trust, and that may be used to your advantage, for the benefit of all parties.
The best way to be compliant and make the most out of GDPR and PECR regulations, is to implement a CMP which is both compliant and performant, such as Didomi’s. It will provide you with the right legal and technological tools, and become the first point of contact with your customers.
At Didomi, we begin by performing an audit of your website, including an analysis of application and website compliance, partner detection, identification of the cookies they drop and their lifespan. The goal is to give you an accurate picture of what is happening on your website or application, and often our customers are surprised at what they discover (especially because of all the activity around third-party cookies).
The next step is to customise your CMP by choosing the right message and consent notice format to ensure that the UI/UX are aligned with your brand image (colours, font, language, etc.). Then the CMP is deployed and integrated with existing solutions within your tech stack (integration of the SDK into mobile web & apps; integration with your Tag management solutions; blocking of ad hoc cookies and specific tags, except for TMS and TCF). Finally, we follow-up and optimise by performing regular audits to monitor cookie lifetime and new partners, closely following consent rates and performing A/B tests to improve opt-in rates.
Cookie consent is now a key indicator for companies. With a CMP, consent becomes an indication of user confidence in your business, which in turn leads to revenue. So put all the odds in your favour and choose Didomi!