A visitor’s first experience of how you care for personal data is your cookie notice.

While the ePrivacy regulations govern cookies, they are subject to the consent model defined in the General Data Protection Regulation. The details in your cookie notice, the purposes of your cookies and how you collect consent for those cookies are part of the initial experience visitor have on a website. In these times, the digital front door is frequently the first step that a prospective customer takes in getting to know a new company. This first impression is critical.

A poor implementation may result in an audit by the Data Protection Commission, either as a result of a complaint from a visitor or surveillance by the DPC. A DPC audit will review all your data protection activities and may result in fines and prosecution. The time to ensure a good first impression is now, and I can help.

The Data Protection Commission is the regulator

In Ireland, the Data Protection Commission enforces the ePrivacy Regulations. Last April, they issued guidance on the implementation of cookies to ensure compliance with both the ePrivacy regulations and the consent requirements set out in the GDPR. On the 5th of October, following a six month grace period, they will commence enforcement of this guidance. During the intervening six months, organisations have an opportunity to bring their implementations into compliance.

Two types of cookies

All cookies (and there are tens of thousands) can be divided into two types: those that are necessary for the website to operate and those that help enhance the basic service provided by the website. The ePrivacy regulations permit the installation of necessary cookies. The visitor must consent to the installation of any other cookie.

The purposes of cookies

As there are many cookies, it is useful to classify them based on their purpose. We can then describe the purpose and seek consent for the installation of any related cookies.

The first purpose is “necessary” - the cookies that we need to install so that the website will operate as the visitor expects.

For the remaining cookies, it is useful to define a set of purposes and describe each one in the cookie notice. We may name and describe these as we wish, but in general the remaining cookies fall into one of three categories:

• “performance” for cookies that relate to the performance of the website
• “functional” for cookies installed by additional functionality
• “advertising” for cookies that support advertising services

Depending on your requirements, more categories may be appropriate. E.g. if you have a range of additional functionality it may be better to allow the visitor to select from several purposes instead of an “all or nothing” functional purpose.

What does good look like

In general, a solution should:

1. Only install necessary cookies before the visitor can respond to the cookie notice
2. Only install other cookies when the visitor has provided consent, and only for purposes consented
3. Retain the consent choices for a limited time
4. Allow the visitor to change their consent choices
5. Provide a cookie policy that the visitor can access and review before accepting the cookie notice

What does bad look like

A bad solution has any of the following symptoms:

• Uses cookies but provides no notice
• Provides no cookie policy or privacy policy
• Provides a cookie notice with only one button
• Loads optional cookies without consent or selects them by default
• Ignores the consent settings

How does your site measure up

We offer a Preliminary Cookie Compliance Assessment which will help you understand any gaps your website may have against the requirements of the DPC Cookie Guidance.