Data Protection - New Law on Website Cookies


by Robert Haniver


What are cookies and why are they used?

Cookies are small text files generated by websites or web hosting sites and stored on the user’s computer or other device. The main purpose of a cookie is to allow a website to identify a user’s device and track repeat visits to the website for marketing and statistical purposes.

A simple example of cookies in operation is where a browser stores your username and password on certain websites, or where a website’s ‘shopping cart’ retains your selection long after you initially reviewed a product. Cookies are also used to store preferences on the start pages of web browsers so the launch page includes links and information thought to be of interest to you, based on your browsing habits.

Cookies are usually stored on a user’s computer or device without the user’s informed knowledge or consent. Websites in this jurisdiction usually provide in their website privacy statement, a brief explanation of what cookies are and how they can be disabled. However if cookies are not disabled, a web server can save personal information into a cookie and automatically gain access to this each time the user accesses their website.


New Cookie Law

On 1 July 2011 important changes to the law governing the use of cookies on websites were introduced by the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the ‘Regulations’). The Regulations implement the provisions of the ePrivacy Directive (Directive 2009/136/EC) and repeals the existing Irish Regulations (SI 535/2003 and SI 526/2008).

The Regulations impose more stringent requirements for websites requiring them to go further than the standard practice of providing a brief description of what cookies are and how to disable them.

The new Regulations require websites to provide their visitors with “clear and comprehensive information”, which is “prominently displayed and easily accessible”, regarding the type of cookie being used and details of its purpose. This information must be given to the user before placing a cookie on their device. In addition, websites must (in most cases) obtain the prior informed consent of the user before deploying the cookie.

This latter requirement is of particular concern to website operators. For consent to be valid, regardless of the circumstances, it must be freely given, specific and constitute an informed indication of the person’s wishes. In the current context, website operators are obliged to obtain informed user consent each time a cookie is downloaded or accessed. This consent must be obtained in advance and be revocable.


Exception to new rules

The Data Protection Commissioner (‘DPC’) has stated that the new consent requirements do not apply in circumstances where the use of cookies is strictly necessary to facilitate a transaction requested by a user, such as the storage of items in an online shopping cart for as long as the website session is live. However, this exception would not extend to the use of persistent cookies, where the cookie is stored after the user has ended the website session.


How is compliance achieved?

The Regulations do not prescribe how information concerning the type and purpose of cookies is to be provided or how user consent should be obtained. However, the method chosen by website operators to provide the information and obtain prior consent must be “as user-friendly as possible”. This will require website operators to obtain consent through the use of prior opt-in mechanisms, which require the user’s affirmative indication of consent before a cookie can be deployed. In practice, this could involve the use of pop-up menus where information regarding the cookie is provided and users are asked to consent to their use. However, this is likely to impact on users’ overall browsing experience.

The Regulations provide that user consent may be considered given where appropriate browser settings or other technological applications are in place. This would certainly be the preferred option for website operators. The EU data protection advisory body (Article 29 Working Party) is of the opinion that for browsers to be able to deliver valid consent, their default setting must be to reject third party cookies and require the user to engage in affirmative action to accept both the setting of, and continued transmission of, information contained in cookies. In addition, there should be industry co-operation to provide a clear, comprehensive and transparent message to ensure consent is informed and that such consent may be easily revoked.

The DPC has stated in his recent guidance, that the settings currently available on the main web browsers do not satisfy the new requirements and therefore user consent cannot be considered to be given. Therefore, until web browsers introduce default privacy-protective settings, website operators must put in place their own mechanisms to ensure users are provided clear and comprehensive information upon which they may give their prior informed consent.

Website operators cannot be expected to implement these changes overnight. It is generally perceived that some leeway will be given to allow websites become compliant. However, it is recommended that website operators take early steps to ensure their compliance.

Failure to comply with the new requirements does not give rise to a criminal offence. However, the DPC retains the usual powers conferred on him by the Data Protection Acts 1988 and 2003 to pursue non-compliant operators.

For further information please contact Robert Haniver on +353 1 240 1218 or rhaniver@orourkereid.com

O'Rourke Reid image symbolising our company.