There is an exception from this express consent requirement for any cookies which are set on the user’s equipment for the ‘sole purpose of carrying out the transmission’ or which are ‘strictly necessary in order to receive an information society service’ requested by the user (i.e. from the user’s and not the operator’s perspective).
The DPC’s stated position is that ‘[...] any ‘consent’ as required under the ePrivacy Regulations, will now be defined in the same way as in the GDPR’. As the DPC goes on to explain, ‘[...] the standard of consent required by the GDPR is higher than under the previous law, and means that consent must be a clear, affirmative act, freely given, specific, informed, and unambiguous’. As such, website users must be given a clear choice (e.g. through off/on switches on cookies banners) as to whether or not to accept any cookies which are not ‘strictly necessary’. Implied consents, pre-ticked boxes or defaults to ‘on’ for non-essential cookies are no longer permitted.
Significantly, the ICO’s guidance has stated its view that analytics cookies and first and third-party advertising cookies do not qualify for the ‘strictly necessary’ exemption and so user consent must be sought and cannot be implied. The DPC’s guidance does not provide any detail on its position, but clearly the necessity of the setting by website operators of each cookie should now be more closely assessed. Any application of a strict regulatory view here may have far-reaching implications for the adtech commercial model and the financing of website content in general. It can be safely assumed that, where given the choice and where these types of advertising cookies are not set by default, users are highly unlikely to ‘opt in’ to the setting of such cookies in great numbers.
Currently, the DPC has power under the ePrivacy Regulations to investigate and serve enforcement notices for breach of the cookies requirements of the ePrivacy Regulations. This can require steps to be taken by the website operator to correct/rectify the breach, cease processing, erase data etc. Failure to comply with Regulation 5(3) of the ePrivacy Regulations is not itself a criminal offence. However, failure to comply with a DPC enforcement notice (without reasonable excuse) is a criminal offence, with the potential for a fine not exceeding €5,000.
While we are not aware of any precedent in Ireland for any prosecutions by the DPC arising as a result of breach of the existing cookies requirements, this position may well change as a result of the increased regulator focus on this area.
Separately, if a website operator’s privacy practices are not compliant with the GDPR, the DPC has available to it the full range of corrective powers provided for under the GDPR, including fines, to deal with any non-compliance.