Report by the DPC on the use of cookies and other tracking technologies

06th April 2020

Revised on 15 April 2020

In August 2019, the Data Protection Commission (DPC) commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.

We chose popular websites operated by some of the most well-known organisations across these sectors. We also included controllers whose use of cookies had come to the attention of the DPC through complaints from members of the public, or through our own observations of how information about cookies and tracking technologies was presented, or appeared to be lacking, on those sites.

The purpose of the sweep survey was to request information to allow us to examine the deployment of such technologies and to establish how, and whether, organisations are complying with the law. In particular, we wanted to examine how controllers obtain the consent of users for the use of cookies and other tracking technologies.

We did not undertake a broader examination of the adtech industry or the real-time bidding advertising framework as part of this sweep as these issues are the subject of separate inquiries by the DPC. Nevertheless, it was evident from the examination of the types of tracking technologies and cookies in use that advertising technology and tracking are core to the business models of many of the websites examined.

Attention is drawn to the fact that the section of the report headed “Banners and interfaces” has been revised as of 15th April 2020 to reflect concerns expressed by the owner of the Quantcast Consent Management Platform to the effect that its platform appeared to be the subject of criticism in circumstances where the report is expressly directed to a limited number of controllers (i.e. website owners) and the manner in which such controllers address their obligations under Regulation 5 of SI 336 of 2011, to include the manner in which they implement or deploy third party Consent Management Platforms. No such criticism was intended here. 

Report by the Data Protection Commission on the use of cookies and other tracking technologies

Guidance note on cookies and other tracking technologies