Sweep
The regulator said its sweep, though small, suggested that users of Irish websites “are being tracked by third parties to a significant degree across their browsing habits and daily online activities”.
It said the restaurant and food-ordering sector appeared to be the worst performer in terms of poor practices.
The aim of the sweep was to establish how and whether organisations were complying with the law, in particular the EU’s ePrivacy Regulations, and how they received consent for the use of cookies and other similar technologies which track website activity.
Compliance
Only two of 38 websites were given a ‘green’ rating, indicating that they were “substantially compliant”, with another site receiving a ‘borderline green/amber’ rating. 12 received a ‘red’ rating, which signalled poor or incomplete responses to questions or serious concerns about compliance.
The regulator found that many data controllers were setting a wide range of cookies as soon as a user landed on their website, without any engagement by the user with a consent management platform or cookie banner.
“These included third-party cookies from social media companies, payment providers and advertisers, which enable the browsing habits and online (and potentially offline) behaviour of individuals to be extensively tracked and monitored, even across multiple devices and sessions,” the DPC said.
Health
The regulator said it was particularly concerned about the use of third-party tracking on a number of health websites, citing as an example a “lack of clarity” on the use of cookies from one unnamed public sector organisation providing health-related information.
It also found that many sites may be wrongly categorising the cookies deployed on their sites as having a ‘necessary’ or ‘strictly necessary’ function, which are exempt from consent rules.
The DPC also found than 10 of the websites it looked at had pre-checked boxes which users had to deselect to refuse their consent to cookies.
These do not comply with EU law following an October judgment by the Court of Justice of the EU, which ruled that consent for the placement of cookies was not valid if obtained by way of pre-checked boxes.
Guidance
In addition, the DPC said some ‘on’ and ‘off’ positions were not clearly marked on checkboxes or sliders listing cookies.
The regulator noted, however, that there was a good level of cooperation with its examination, and that almost a third of the website controllers said they had either identified possible improvements to their practices or were keen to have updated guidance from the DPC.