cookies & website tracking technologies...cookies & website tracking technologies june 2020...

Cookies & Website Tracking TechnologiesJune 2020

This report is intended solely for the information and internal use of the client, and is not intended to be and should not be used by any other person or entity.

No other person or entity is entitled to rely, in any manner, or for any purpose, on this report.

© 2020 Deloitte Ireland LLP. All rights reserved. 2Cookies & Website Tracking Technologies

Contents

Background 03

Cookies & Tracking Technology Overview 04

DPC Cookies Sweep Findings 08

Challenges 11

How can Deloitte assist? 13

Contact Us 18


Consent must be acquired for all non-essential Cookies. Websites must not be designed to favour acceptance over non-acceptance.

Cookie information must be user-friendly. Legal jargon and redirecting to general terms and conditions should be avoided.

User interfaces should be developed so that users can change their preferences at any time.

Retention periods appropriate to the purpose for which the Cookie is used should be set and enforced.

These rules apply to all data, not just personal data. However, where the data is personal, the GDPR applies.

Cookie walls are banned i.e. preventing a user from accessing a website if they do not accept cookies.

Cookie and privacy policies should be accessible and updated. The ability to read these policies must not be obscured by Cookie banners.

Joint-controller arrangement should be considered where data is shared with third parties using these technologies.

Put measures in place…. Demonstrate compliance in case of inspection by the DPC

On the 6th April 2020 the Irish Data Protection Commission (‘DPC’) issued its report on ‘the use of Cookies and other tracking technologies’. This report outlined that organisations are required to examine their practices with regard to the use of website Cookies and other tracking technologies, taking account of the DPC’s newly published guidance, and, where they identify any areas of non-compliance, to bring them into compliance by 5th October 2020

Background

5OCT 2020

What key measures did the

DPC call for?


Cookies & Tracking Technologies: Overview


A Cookie is a small file downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit.

However, traditional Cookies are not just included in the remit of these guidelines; (LSOs) or ‘flash’ Cookies, software development kits (SDKs), pixel trackers (or pixel gifs), like’ buttons and social sharing tools, and device fingerprinting technologies are all also included.

What is a Cookie?

Organisations should provide such individuals with comprehensive information (in accordance with Directive 95/46/EC) including but not limited to:• Identity of the organisation and its representative, if any;• Purpose of processing for which the data is intended; • Additional details such as the recipients or categories of

recipients of the data, whether provision of requested data is obligatory or voluntary, and the consequences of failure to respond to the request, existence of the individual's rights to access, correction, amendment, and/or deletion etc.

Organisations should provide individuals with a means to consent to and/or object to such processing.

Article 5(3) ePrivacy Directive

Where an organisation use Cookies, the organisation is able to demonstrate that the data subject has consented to the use of such Cookies. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.

Organisations should provide individuals with a means to consent to and/or object to such processing.

General Data Protection Regulation

Note: The draft ePrivacy Regulation aims to update the existing legal framework and will replace the ePrivacy Directive. It envisages an expansion of the definition of electronic communications and further harmonisation of the rules throughout the European Union.

Current regulatory requirements for Cookie consent notices on websites are derived from the ePrivacy Directive (ePD) and personal data collected from Cookies and tracking technologies must be processed in line with the General Data Protection Regulation (GDPR)

Cookie management—Overview

Key Requirements


What are different type of Cookies?

Consent Models

Based on Lifespan:

Session Cookies are erased when the individual closes the web browser and are essential for a website’s functionality and navigation

Persistent Cookies remain on individual’s device for a pre-defined period of time and continue to function until they expire or the individual manually deletes the Cookie

Based on Domain:

First–party domain Cookies are set by the web server having the same domain as that of the visited website. E.g., client cookies functioning on client websites

Third–party domain Cookies are set by the web server from a different domain than that of the visited website

What are the different categories of Cookies?

Essential Cookies

Essential (or strictly necessary) for website functioning—absence of which will hamper websites e.g., provision of a service

Functional Cookies

Capture individual’s preferences on websites to provide a tailored browsing experience. Information collected is usually anonymised to disable an individual’s identification

Performance Cookies

Monitor website performance (e.g., number of page views and unique individuals visiting websites). Information collected is anonymous and used for statistical purposes only

Targeting Cookies

Track website visitors and utilise their information to provide tailored advertising based on individual interests & preferences. Personal data (e.g., age, gender, preferences, IP address etc.) may be tracked

Layered Model

Provide a brief description of each purpose, along with equal options to accept or reject. Provide allowing the user to access more granular information on those purposes, allowing the user to accept or reject each.

Granular Model

Provide a description of each purpose on accessing the website, allowing the user to select the purposes they wish to accept and those they wish to reject.

Hybrid Model

Provide an interface which combines elements of the layered and the granular models. This may include provided providing a description of each purpose and layers for accessing further information.

Below is an overview of the different types of Cookies, their categories, and how an organisation can choose to approach consent to the use of Cookies

Types of Cookies


Please note, that “dual purpose” Cookies (used for both “essential” and “non-essential” purposes) are categorised as “non-essential” unless all “non-essential” elements are blocked until the user has consented via a Cookie banner. This can be accomplished, for example, by placing a restriction on the use of the Cookie that prohibits all services from using the Cookie for “non-essential” tracking purposes, until the user consents. However, the leading practice is to separate the “dual purpose” Cookie into two cookies (one for “essential” purposes and another for “non-essential” purposes).

Cookies are essential where they are strictly necessary:

• To transmit information over an electronic communications network.

• To provide an information society service explicitly requested by the user.

These Cookies do not require user consent before they are dropped or read (but should still be disclosed to users via Cookie banner).

Example: A Cookie used to process a transaction to buy an item requested by a customer. Note that Cookies that are not totally necessary here (e.g. to assist, speed up process) are non-essential Cookies.

Those that do not fall under the “essential” exemptions are generally “non-essential”. The subscriber must be provided with clear and comprehensive privacy information around various aspects of the processing. Notices

Unambiguous, freely-given and imformed consent is required except in narrow circumstances. The subscriber must be provided with clear and comprehensive privacy information around various aspects of the processing.

Example: A Cookie used for analytics puproses or a Cookie used to tailor a website to a customer’s interests

Article 29 Working Partyguidance.

Detailed in

S.I. No. 336/2011—European Communities (Electronic Communications Networks and Services) (Privacy and

Electronic Communications) Regulations 2011.

Based upon

Esse

nti

al C

oo

kies

No

n-Essen

tial C

oo

kies

Categorising “essential” and “non-essential” Cookies under European Cookie laws

Essential and Non-essential Cookies

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf


DPC Cookies Sweep Findings


Overview of Results

Red indicates there was a poor or incomplete response or questions not understood, with several serious concerns.

Amber signalled a good response and approach to compliance, but at least one serious concern.

Green represented a very good response, substantially compliant, any concerns straightforward and easily remedied.

Red Risk Borderline RedRisk

Amber Risk BorderlineAmber Risk

Green Risk

12

3

20

1 2

*Note: 1 participant was given a deferral on the basis it was about to roll out an entirely new website, and 1 participant did not respond to any of the DPC’s correspondence and the DPC are considering further action in that regard

Between August and December 2019 a total of 40* companies were assessed by the DPC based on their level of compliance with the applicable data protection legislation. In April 2020, the DPC issued the findings of their review, which can be summarised as follows:

DPC Cookies Sweep—Findings

Rating Definitions

(per the DPC)


It is very evident from the results of the DPC’s Cookie sweep that a significant number of organisations will be required to act now if they are to achieve compliance by the DPC’s stipulated deadline of the 5th October 2020. The following key issues were identified:

DPC Cookie Sweep—Key Issues

About two thirds of controllers were incorrectly relying on ‘implied consent’ for the setting of non-essential Cookies e.g. the verbiage in their Cookie banner stated that “by continuing to browse this site you consent to the use of Cookies”

For the majority of websites, there was a lack of functionality for the user to vary or withdraw their consent

For almost all websites Cookies (including non essential Cookies) were set immediately upon the users landing and prior to the user providing consent

On some websites Consent Management Platforms (CMPs) were poorly deployed/designedleading them to be confusing and potentially misleading for users


Challenges


Identifying what Cookies and other tracking technologies are being collected on your website(s) and assessing whether and whether they contain personal data.

Establishing the specific purpose for each Cookie and documenting those purposes for each, including whether they are essential or non-essential Cookies e.g. essential, functional, performance, targeted.

Ensuring that Cookie banners lawfully obtain the required consent. This means, for instance, that the option to accept Cookies is not designed in a more attractive manner than the option to reject Cookies.

Reviewing and updating Cookies and privacy policies so that they are kept accurate, up to date and provide users with clear and comprehensive information, in line with GDPR and the ePrivacy Directive.

We have found that organisations often experience common challenges in their efforts to comply with the regulatory requirements and guidance in relation to the use of Cookies and other tracking technologies:

Common Challenges


How Deloitte can Assist


2. Prioritise SitesCategorise the sites your group operates and implement operational controls based on priority level. Factors included in the assessment of this categorisation are user traffic, nature of data tracked and potential for regulatory scrutiny.

6. Update Notices and VerifyUpdate Cookie notices and ensure that non-essential Cookies are not being used prior to you receiving a user’s consent.

1. Information GatheringGather Information about the Cookie activities in your organisation and their impact on external facing sites.

3. Cookie DiscoveryDevelop Cookie inventories (automated or manual) and categorise Cookies based on their purpose and nature.

4. Cookie AnalysisConduct an analysis of your Cookies to distinguish essential Cookies from non-essential Cookies. This will include an assessment of the use and purpose of Cookies, applicable data retention periods and the ability to delete Cookies or allow a user to update their Cookie preferences.

Taking advantage of our expertise in building digital solutions, our knowledge of Cookie regulators and our insights into industry best practices, we have developed the following methodology to check Cookies against compliance requirements. This process is partly automated through a tool that allows the in-depth reviews to be conducted on webpages. These reviews are specifically tailored to the unique needs of each organisation

Our Methodology: An Overview

5. Blocking and Consent ImplementationConsider the use of non-essential Cookies. This capability is necessary when a site:• Informs a user of their rights (including privacy rights);• Has non-essential Cookies and the user has still to

consent to receiving non-essential Cookies.


Defining a User-Centric Cookie Experience

Deloitte support organisations in creating a Cookie-compliant, yet user friendly and branded privacy experience for online customers. Based on your organisation's envisioned functionality and use of cookies, we can explore how to use a more customer-centric approach as a competitive edge

How it Works

Checking your organisation’s cookie compliance level can be done in three steps:

1. Provide a list of URLs to be checked for compliance.

2. Select the requirements against which each URL will be checked.

3. Results per URL are generated through the automated Cookie tool.

There are no limits to the amount of URLs that may be listed; the software will check each, one by one.

Safeguarding your Online Presence

The automated process facilitates the checking of large numbers of URLs. It allows you to check whether internal policies are incorporated into websites. In addition to websites, it also makes it possible to check whether your social media pages are compliant.

Tailoring the Methodology to your Needs

Our methodology enables you to perform checks against a wide set of criteria. This includes controls which are linked to external requirements, such as security standards, the ePrivacy Directive and the GDPR. Internal organisational requirements may also be configured as controls.

Cookie Discovery and Classification

Your organisation can obtain insight into the Cookies used on the selected URLs. This includes an insight into the different categories of Cookies placed and whether or not these Cookies have been placed by third parties.

Practical Application of Consent Requirements

The tool makes it possible to automatically check for specific categories of Cookies and whether Cookies are placed correctly after consent is given.

Creating a User-Centric Cookie Experience

Our Methodology: In Detail


Privacy technologies in the market offer varied tools to help organisations meet the requirements for Cookie consent.

Deloitte has a strategic alliance with OneTrust, a market leading Privacy Technology provider, whose varied tools help organisations meet the requirements for Cookie consent.

How a Technology Solution can Help

An understanding of what Cookies and

tracking technologies the websites are using, to help website owners

make risk-based decisions, and make sure

that users are fully informed.

The ability for users to consent to or deny Cookies for Cookie compliance, while determining the website owner’s

control of the overall user experience.

Allows tools for the website owners to put a Cookie notice on their websites, along with

simple deployment and editorial control over the

content and user experience.

Privacy Technology Benefits


Data privacyWe have a team of data privacy subject matter experts, who specialise in advising clients on how to comply with data protection legislation and applicable regulatory guidance

Technology & digitalOur Technology and Digital experts help organisations develop strategies and implement systems that build business value and drive performance. We can support your organisation across the digital lifecycle, enhancing your online and mobile presence

Business & organisationWe have IT specialists who have many years of experience of implementing IT projects and that are anchored in the client’s business and organisation, focusing on cost management and practical solutions.

Compliance

Who we are

Deloitte is the market leader in Europe for data privacy and regulatory advisory services.

We take a collaborative approach across our member firms, connecting a dedicated team of legal and technical experts.

We have more than 200 privacy professionals operating in Deloitte NSE, and an EMEA SME team with more than 450 members.

We have a track record of transforming the way our clients manage Privacy risks and opportunities.

Leveraging our pan-European and multi-disciplinary expertise, we have developed that unique skill set to aide you on your path to compliance

Our Expertise


Contact Us

Colm McDonnellPartner—Head of Risk Advisory Cyber and Strategic RiskTel: +353 (0)1 417 2348Mobile: +353 (0)87 813 8198:[email protected]

Sean SmithPartner—Risk AdvisoryRegulatory and Legal SupportTel: +353 1 417 2306Mobile: +353 (0)86 852 [email protected]

Eileen HealyPartner—Risk AdvisoryAccounting and Internal Controls Tel: +353 21 490 7074Mobile: + 353 (0) 86 164 [email protected]

David Kinsella Partner—Risk Advisory Accounting and Internal ControlsTel: +353 (0)1 417 2529Mobile: +353 (0)87 280 [email protected]

Laura WaddingPartner—Risk Advisory Regulatory and Legal SupportTel: +353 (0)1 417 2934 Mobile: +353 (0)87 975 [email protected]

David ConwayPartner—ConsultingDigital SupportTel: +353 (0)1 417 2853Mobile: +353 (0)86 827 [email protected]

Ita LangtonPartner—ConsultingTechnology SupportTel: +353 (0)1 417 3897Mobile: +353 (0)87 665 [email protected]

mailto:[email protected]







At Deloitte, we make an impact that matters for our clients, our people, our profession, and in the wider society by delivering the solutions and insights they need to address their most complex business challenges. As the largest global professional services and consulting network, with approximately 286,000 professionals in more than 150 countries, we bring world-class capabilities and high-quality services to our clients. In Ireland, Deloitte has nearly 3,000 people providing audit, tax, consulting, and corporate finance services to public and private clients spanning multiple industries. Our people have the leadership capabilities, experience and insight to collaborate with clients so they can move forward with confidence.

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte Ireland LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte Ireland LLP is a limited liability partnership registered in Northern Ireland with registered number NC1499 and its registered office at 19 Bedford Street, Belfast BT2 7EJ, Northern Ireland.

Deloitte Ireland LLP is the Ireland affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2020 Deloitte Ireland LLP. All rights reserved.

cookies & website tracking technologies...cookies & website tracking technologies june 2020...

Documents