Your Cookie Questions Answered

Contents

1. Why all the recent fuss about cookies?
2. What is a cookie and what are they for?
3. What is the ePrivacy Directive?
4. What do I need to do to comply?
5. Can I direct the user to block cookies via their browser settings?
6. Can my site load all cookies by default or pre-tick the boxes?
7. What are "strictly necessary" cookies? Are there other types of cookies?
8. Do I need to classify cookies? Is an "accept all" approach acceptable?
9. What information must I give users?
10. What about tracking pixels, local storage and other tracking tools?
11. What's the difference between a first-party and third-party cookie?
12. What's the difference between session cookies and persistent cookies?
13. What do I need to know about cookie lifespan and expiration?
14. My site uses cookies but I'm not tracking any personal data, do I still need a consent banner?
15. Can I make the "accept" button bigger than the "reject" one?
16. Do I have to allow users a way to withdraw consent?
17. What's this about needing to document and store consent received?
18. What about mobile apps?
19. Do I need a cookie policy?
20. Won't this affect my analytics?
21. Can I block users from my site until they give consent?
22. My organisation is based outside the EU, does this apply to me?
23. What happens if my site is not compliant?

1. Why all the recent fuss about cookies?

Back in April, the Data Protection Commission (DPC) carried out a sweep of 40 websites and found that 95% of them were not compliant with the ePrivacy Directive. On foot of this, they issued clear guidance on what compliance looks like and gave website owners six months to get their sites in order before they start issuing fines.

Back to top

2. What is a cookie and what are they for?

A cookie is a small text file that is downloaded and stored by your browser when accessing a website. It allows the website to identify you as the same user as you browse the site and on subsequent return visits. They can serve a number of important functions, such as remembering what products you have added to your cart, and remembering who you are when you log in. They can also be used to provide the owners of the website with information about you, such as your device type, browser type, language preferences, content viewed, and personal data such as IP address or user name.

Back to top

3. What is the ePrivacy Directive?

The ePrivacy Directive was first passed in 2002, and later amended in 2009. However, it didn't become law in Ireland until 2011. It's often known as the "cookie law" as its most notable effect was the sudden rise of cookie consent pop-ups after it was passed. It supplements (and in some cases, overrides) the GDPR which came into effect in 2018.

However, until recently there was a general lack of clarity on what the legislation meant and no real compliance checking or enforcement of it. The result was that many website owners thought they were compliant. Now with the clear guidance from the DPC and the threat of fines, website owners are finding themselves scrambling to get compliant in time.

Back to top

4. What do I need to do to comply?

To comply with the regulations governing cookies under both the GDPR and the ePrivacy Directive you must:

• Obtain users’ consent before setting any cookies in their browser, with the exception of strictly necessary cookies
• Provide accurate, clear and easy-to-understand information about what each cookie tracks and how it is used before consent is received
• Document and store consent received from users
• Allow users to access your website content and functionality even if they reject some or all cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place

Back to top

5. Can I direct the user to block cookies via their browser settings?

No, you can no longer direct users to their browser settings to turn off cookies. Implied or inferred consent is not sufficient, and cookie banners which state that by continuing to use the site, you agree to their use of cookies are not compliant with the ePrivacy Directive. In the DPC's review, they found that two-thirds of websites relied on this approach.

Back to top

6. Can my site load all cookies by default or pre-tick the boxes?

No, prior consent must be obtained before setting any cookies other than those classified as strictly necessary.

All checkboxes relating to cookie consent settings can not be ticked by default, again with the exception of those which are classified as strictly necessary.

Back to top

7. What are "strictly necessary" cookies? Are there other types of cookies?

The ePrivacy Directive specifies just two exemptions where prior consent is not required:

• where the cookie is used for the sole purpose of carrying out the transmission of a communication
• where the cookie is strictly necessary to provide a service explicitly requested by the user

Examples of these would include cookies used to remember products added to your shopping cart, session cookies providing security measures to prevent unauthorised access to your account, and load-balancing cookies that ensure the content of your page loads quickly. The DPC was also clear to point out in their report that cookies required for chatbot functionality can not be required as strictly necessary.

These are generally classified as strictly necessary cookies and, while you do not need to obtain consent for these, it is generally good practice to provide users with information about these cookies.

Other cookies can be generally classified as follows:

• Preferences - sometimes called “functionality cookies,” these cookies allow a website to remember choices you have made, such as preferred language, or your username and password so you can automatically log in.
• Statistics - these are also known as “performance" or "analytics" cookies, and typically collect information about how you use a website, links clicked, pages visited, browser information, referrer information.
• Marketing - these are also know as "targeting" cookies, and they track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies may share that information with other organisations or advertisers.

As you can see, the exact names of the categories are not explicitly defined by the ePrivacy Directive. However, regardless of what naming convention you use, it is important that you are both accurate and clear in how cookies in that category are used and their purpose.

Back to top

8. Do I need to classify cookies? Is an "accept all" approach acceptable?

Under the ePrivacy Directive, consent cannot be "bundled". These means an "accept all" and "reject all" approach to obtaining consent on your site. One consent spanning multiple purposes is not acceptable and the user must be able to grant or deny consent to each purpose.

If you have cookies with varying purposes on your site, then you must give users the opportunity to opt in or out of these different purposes or classifications. However, you don't have to get as granular as obtaining consent at the per-cookie level.

Back to top

9. What information must I give users?

You must provide your users with "clear and comprehensive" information on what information you track, for what purpose, who you share the data with and how long it is retained for. This needs to be displayed prominently and easily accessible. Users must be able to understand the potential consequences of granting consent. You may also need to make sure the language and level of detail are appropriate for your intended audience so they can understand what each cookie does and make an informed decision.

Back to top

10. What about tracking pixels, local storage and other tracking tools?

While the ePrivacy Directive has been dubbed as the "cookie law", it actually applies to other tracking technologies, and not just cookies. One example of this are pixels. Also, known as web beacons, pixels are often embedded in websites in order to monitor a user's actions, or in emails to track the number of opens. They are called pixels as they are usually a single pixel in size and transparent, making them invisible to the eye.

If you use pixels on your website, such as the Facebook Pixel, then you also need to obtain consent from the user before loading it. You should also watch out for social media buttons and widgets adding their own tracking technologies.

Back to top

11. What's the difference between a first-party and third-party cookie?

Whether a cookie a first- or third-party cookie depends on the website or domain adding the cookie.

• First-party cookies are set directly by the website you're visiting
• Third-party cookies are set by a domain that is different from the website you are visiting. This typically happens when the website you are visiting loads javascript, images, etc from an external domain. When your browser fetches these elements, cookies are often set by these domains as well.

The DPC report states that first-party analytics cookies are unlikely to create a privacy risk if limited to first-party aggregated statistical purposes. However, third-party cookies may present a greater privacy risk to the user.

Back to top

12. What's the difference between session cookies and persistent cookies?

• Session cookies are cookies which are temporary and expire once you close your browser or once your session ends. They can be used for a variety of purposes, such as remembering what products you have added to your shopping cart or remembering whether or not you are logged in to a site.
• Persistent cookies are ones which last longer than your browser session. They are stored on your device between sessions and remain there until manually erased or until they expire.

Back to top

13. What do I need to know about cookie lifespan and expiration?

As described above, persistent cookies remain on your device until erased by the user or until they expire. The length of time between the cooke being set and its expiry is set by the website or third-party creating the cookie.

According to the ePrivacy Directive, persistent cookies should really not last longer than 12 months. If the expiration lifespan of cookies on your site are longer than this, then you may need to consider whether it is really necessary or otherwise be able to justify it.

Back to top

14. My site uses cookies but I'm not tracking any personal data, do I still need a consent banner?

Yes, the ePrivacy Directive applies to all cookies and tracking technologies, regardless of whether or not personal data is tracked or data is anonymised.

Back to top

15. Can I make the "accept" button bigger than the "reject" one?

No, consent banners should not "nudge" users into accepting cookies. Any option to reject cookies must have equal prominence to the option to accept.

Back to top

16. Do I have to allow users a way to withdraw consent?

Yes, users must be able to withdraw their consent or modify permissions for cookies and other tracking technologies. What's more, but they need to be able to do this as easily as it was to grant consent in the first instance.

Back to top

17. What's this about needing to document and store consent received?

If a user opts in or out of particular consent categories, these preferences must be respected and recorded as appropriate. The DPC considers that these preferences should be retained for no-longer than 6 months, after which the consent should be re-obtained.

Back to top

18. What about mobile apps?

According to the European Union’s Article 29 Data Protection Working Party (“WP29“), the ePrivacy Directive also applies to mobile applications.

Mobile apps store information on phones and tablets, and may also access information on the device, such as photos, contact information, etc. App developers are therefore required to provide clear information to users about what the app does, exactly how it uses their information and users’ consent must be obtained prior to installing or accessing any information stored on their devices.

Back to top

19. Do I need a cookie policy?

If you're using cookies that track user behaviour or collect personal data, then you will need a Cookie Policy, or a Privacy Policy that explains your use of cookies. This rule applies in many countries, even outside of the EU.

Back to top

20. Won't this affect my analytics?

Yes, this will affect your analytics, and once you implement a consent banner to get your site compliant, you will most likely see a drop-off in your site's recorded visitor numbers. The site will still be functioning correctly, it's just that some of your users will have opted to not allow statistical cookies.

Tools such as Google Analytics rely on cookies to track users' behaviour. Even cookie-free solutions such as Fathom Analytics rely on pixels, which also require consent under the ePrivacy Directive.

As "nudging" design techniques and pre-ticked boxes are all not allowed, there is not much that can be done to avoid this drop-off in your analytics.

Back to top

21. Can I block users from my site until they give consent?

No, the European Data Protection Board has made it clear that websites that block access to content or functionality on their website until a user consents to cookies (often called "cookie walls") are not compliant.

Back to top

22. My organisation is based outside the EU, does this apply to me?

If your website has any visits from users within the EU, then yes, you will need to give them the ability to consent to the use of cookies and other trackers. Similarly with mobile apps, if your app can be downloaded by a user in the EU, then the user's consent must be obtained prior to installing or accessing any information stored on their device.

Back to top

23. What happens if my site is not compliant?

The DPC has given website owners until the 6th October to get their sites in compliance with the ePrivacy Directive, after which action up to and including enforcement action may be taken. This includes the possible use of financial penalties. These penalties may be significant, particularly if the cookies are found to be processing personal data without consent.

In addition to the potential financial risks of enforcement actions, there is also the prospect of reputational damage and negative publicity. This is because wherever the DPC serves enforcement notices which are not complied with, details of the non-complying organisations concerned can be made publicly available in the DPC’s annual report.

Back to top