Report by the DPC on the use of cookies and other tracking technologies

In August 2019, the Data Protection Commission (DPC) commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors, including media and publishing, the retail sector, restaurants and food ordering services, insurance, sport and leisure and the public sector.

We chose popular websites operated by some of the most well-known organisations across these sectors. We also included controllers whose use of cookies had come to the attention of the DPC through complaints from members of the public, or through our own observations of how information about cookies and tracking technologies was presented, or appeared to be lacking, on those sites.

The purpose of the sweep survey was to request information to allow us to examine the deployment of such technologies and to establish how, and whether, organisations are complying with the law. In particular, we wanted to examine how controllers obtain the consent of users for the use of cookies and other tracking technologies.

We did not undertake a broader examination of the adtech industry or the real-time bidding advertising framework as part of this sweep as these issues are the subject of separate inquiries by the DPC. Nevertheless, it was evident from the examination of the types of tracking technologies and cookies in use that advertising technology and tracking are core to the business models of many of the websites examined.

Here is the report on the use of cookies and other tracking technologies
 Guidance note on cookies and other tracking technologies


Originally published on Data Protection Commissioner’s site.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.