Cookies Guidance Note
Whilst every effort has been made to ensure this information is most up to date as possible the law around cookies is currently evolving. We await further guidance from the supervisory authorities. We understand that the Information Commissioner’s Office (ICO) will soon be publishing updated guidance on cookies to reflect the GDPR and PECR and we will update this guidance note once the ICO (and/or DPC) has clarified its position.
What are Cookies?
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
- identify users;
- remember users’ custom preferences and
- help users complete tasks without having to re‑enter information when browsing from one page to another or when visiting the site later.
Cookies can also be used for marketing by monitoring a person’s online behaviour so that the person can be targeted with adverts that are relevant to something that they searched for in the past.
Cookies are commonly categorised as follows:
|Persistent cookies||These remain stored in the user’s device until it reaches a defined expiration date (which can be minutes, days or several years in the future). They allow the preferences or actions of the user to be remembered, e.g. for the next time they browse the website or to target advertising|
|Session cookies||Less intrusive than persistent cookies because they automatically expire when the user finishes browsing and they are not stored longer than this. These are often used to remember what a user has put in their internet shopping basket or for security when accessing internet banking|
|First party cookies||Set by the person operating the website visited by the user. First party cookies are generally seen as less intrusive than third party cookies|
|Third party cookies||These are set by a person who does not operate the website visited by the user. In other words, a third party may be able to track how people use the website and set their own cookies on a user’s computers|
What is the state of play with cookies
Recital 30 of the GDPR states:
“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. this may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”
Cookies can therefore be used to uniquely identify a person and therefore they should be treated as personal data. However, where cookies are used solely to gather anonymous information about website usage at an aggregated level (and provided that data cannot be combined with any other data to link it to an identifiable individual) no personal data will be involved. The rules in the E-Privacy Regulations however, will apply as they apply to all cookies regardless of whether they involve the processing of personal data. Currently two things are needed when using cookies on your website;
- Prominent information needs to be given to users of your website on what types of cookies are used, and what their purpose is (g. preferences such as language or, font, browsing & search history, tracking, session security and any third party cookies), a brief description of them and their lifespan and how to remove them/disable them and;
- A user also needs to consent to the use of certain cookies before the cookies are set. It is the E Privacy Regulations which require consent. These Regulations are being updated and should have been revised to commence on the same date as the GDPR however they will not be ready until at least late 2018. When revised they state that ‘consent’ will be as per the GDPR. Currently consent can be ‘implied’ but it is unlikely that this will be allowable under the GDPR. (When revised the E Privacy Regulations will align with the GDPR and so consent will be as per the GDPR definition). Not all cookies require consent however, see section 6 below.
Steps to take now:
1 Audit your cookies
Ask your webmaster/ website provider to provide you with a clear description of all types of cookies used on your website including third party cookies, their purpose and their description and lifespan. This will help you understand whether you have any cookies which require consent.
2 Give information about the cookies to users
Prominent links to a ‘cookie notice’ would appear to be the most recent recommended guidance from the ICO/DPC. The link should have a title that makes it clear the information is about cookies. (The cookie notice in addition can be included in your general privacy notice however where cookies are used which require consent it might be impractical and unclear to users to only have reference to cookies in your general privacy notice).
The link could be made more prominent by for example placing it in the header rather than the footer of the page, the link should be on every page of the website.
What should be in your Cookie Notice?
- why cookies are being used, (to remember users’ actions, identify users, collect traffic information, etc.)
- if the cookies are essential for the website or a given functionality to work or if they aim to enhance the performance of the website
- the types of cookies used
- who controls/accesses the cookie‑related information (website or third‑party)
- that the cookie will not be used for any purpose other than the one stated
- how users can withdraw consent (including opt-out for third party cookies)
3 When to get consent?
Before the cookie is set.
4 How to obtain Consent
It is important to note that not all cookies requires consent for them to be used, where consent is not needed you will still need to provide information, therefore the below may not apply to your website (see exemptions listed below).
As stated, consent could previously be implied but it is difficult to see how this would be permissible under the GDPR. Where consent is the lawful basis for processing, the GDPR provides that ‘consent’ is:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Under the GDPR, consent must therefore be:
- freely given
- an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them
Consent can be obtained by opt in boxes and the user can also be guided as to how they amend their preference in the browser settings. The user must also be told of their right to opt out at the time their consent is obtained and that this must be as easy as opting in.
Consents can’t be bundled together (nor can pre-ticked boxes be used) there should be a tick box for each type of cookie used. See example of a notice that should be displayed for the user when they first enter your website and tracking cookies are used;
We recommend that a short pop up box/banner be used to bring the users attention to the fact that cookies will be used on the site. It is important to make sure users see clear information about cookies, to ensure that consent is valid and to increase levels of user awareness. Possible ways of making information about cookies more prominent include one of more of the following:
- a prominent hyperlink at the top of your website homepage saying ‘New: Cookies Info’
- amending your existing home page ‘Cookies and Privacy’ hyperlink to make it distinguishable from normal text and other links, ie to make it more prominent—this might include changing the size of the link to the information or using a different font
- amending the existing home page ‘Cookies and Privacy’ hyperlink, e.g. moving the link from the footer of the page to somewhere more prominent and more likely to catch attention
- using mouse-over highlights that make the link stand out as being important—your website provider can explain what these are, so that the hyperlink appear more prominent, or causes a pop-up box to appear when the user places their cursor over the hyperlink
- using a clickable image or icon to encourage people to seek more information
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another. [●]Credit Union uses [NUMBER] cookies on this website. These cookies allow us to distinguish you from other users of our website, which helps us to provide you with a good experience when you browse our website and also allows us to improve our site. Cookies also improve the functionality of this website. [CREDIT UNION TO AMEND/SHORTEN AS APPROPRIATE]
Read more about the individual cookies we use and how to recognise them by clicking here [INSERT LINK TO COOKIE NOTICE].
Please indicate, having first read our cookie notice, whether you consent to the following cookies being used:
[List each of the types of cookies with a tick box beside them]
You have a right to withdraw your consent at any time by [CREDIT UNION TO CONSULT WITH THEIR WEB DESIGNER ON HOW THIS CAN BE DONE – IT MUST BE AS EASY TO OPT OUT AS IT WAS TO OPT IN].
5 What if consent is withdrawn?
Consent can be withdrawn at any time.
You must provide information about how consent can be withdrawn and existing cookies removed.
6 Cookies which do not require consent (but the user still needs to be informed about them) are those;
- used for the sole purpose of carrying out the transmission of a communication; and
- strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.
- cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
- session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – e.g. online banking services; or
- load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers. For the duration of the session.
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session (unless hosting for a third party)
- user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
- third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
|Sample Cookie Notice of xx Credit Union
[NOTE TO CREDIT UNION: THIS COOKIE NOTICE IS A TEMPLATE AND MUST BE ADDED TO/DELETED FROM AS NECESSARY DEPENDING ON THE COOKIES USED BY YOUR WEBSITE – TO BE USED IN CONJUNCTION WITH THE POP UP NOTICE AS PROVIDED ABOVE]
We use the following cookies:
· [Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.]
· [Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.]
· [Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).]
· [Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.]
· [INSERT ANY OTHER COOKIES USED]
[EXPLAIN WHICH COOKIES YOU USE IN PLAIN, JARGON-FREE LANGUAGE. IN PARTICULAR:
· THEIR PURPOSE AND THE REASON WHY THEY ARE BEING USED, (E.G. TO REMEMBER USERS’ ACTIONS, TO IDENTIFY THE USER, FOR ONLINE BEHAVIOURAL ADVERTISING)
· IF THEY ARE ESSENTIAL FOR THE WEBSITE OR A GIVEN FUNCTIONALITY TO WORK OR IF THEY AIM TO ENHANCE THE PERFORMANCE OF THE WEBSITE
· THE TYPES OF COOKIES USED (E.G. SESSION OR PERMANENT, FIRST OR THIRD-PARTY), HOW LONG THEY LAST
· WHO CONTROLS/ACCESSES THE COOKIE-RELATED INFORMATION (WEBSITE OR THIRD PARTY)
· THAT THE COOKIE WILL NOT BE USED FOR ANY PURPOSE OTHER THAN THE ONE STATED
· HOW CONSENT CAN BE WITHDRAWN.]
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
You can also block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
You can use as example the top level “cookie notice” of the Commission homepage.
If your site does not use any cookies, just declare it (e.g. The Information Providers Guide site does not use any cookies). If your site uses the same cookies as the Commission homepage, you can just link to the top level cookie notice.]
How to control cookies
You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
If you want to see the other ways in which xx Credit Union processes personal data please have a look at our General Privacy Notice, located ww.xxxxx.ie
 Article 4(11) of the GDPR “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”