You are here: What's New > Publications > New Rules on Cookies (1.12.2011)
New Rules on Cookies (1.12.2011)

The new European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 came into force in Ireland on 1st July 2011. The regulations implement a European Directive and bring in new rules on cookies in respect of websites.

What are Cookies?

Cookies are classed as a means of storing information on a website user's computer, or a means of gaining access to information already stored on a user's computer.

A common cookie which businesses use on their websites is for visitor tracking to enable them to analyse visitor's behaviour on their website. Other websites need to use cookies for online shopping to proceed to use ‘baskets' and to ‘checkout'.

What are the Implications of the New Regulations?

For websites to use cookies legally under the new regulations the website owner must now ensure:-
• The user has given consent to that use
• Information on the purposes of processing such information is provided and all such consent provisions and information is prominently displayed and easily accessible.

There is an exception in respect of when a service is explicitly requested by a user to which the new rules do not apply. For example this allows online shopping to proceed without express consent for cookie use.

When the regulations first came out there was no definitive guidance in respect of how such consent should be obtained in practice.

For instance it was not clear whether an ‘I accept' button has to be displayed by the website and then clicked by the user prior to cookies being used. Alternative suggestions in the debate on compliance included the previously compliant way of providing information in the website's privacy policy or terms and conditions on how to block cookies through the user's own internet browser options. Consent is then presumed to be given if the user continues to use the site without blocking such cookies. That would be the less onerous option for businesses to employ. The Data Protection Commissioner has issued guidelines on the regulations but they are not explicit on what type of practical options will be compliant with the regulations. They do make clear the previous way to comply regarding browser settings and website policy information is no longer sufficient due to not all browser's being sophisticated enough to block all cookies.

A European Working Party was set up to address the issue of consent and the opinion was adopted on the 13th July 2011.

The Working Party recommends that consent must be specific, freely given and informed. This suggests that in practice consent must be explicitly obtained prior to any information being used or stored, and that information in privacy policies or terms and conditions (detailing how to block cookies and informing the user about which cookies are used by the website) is not sufficient.

The Information Commissioner's Office in the UK has a website which has a prominently displayed banner and information on cookies on the website. Only if a user clicks ‘I accept' will the website then go on to use cookies such as Google Analytics, a visitor tracking device. Users can still use the site if they do not click ‘I accept' and no cookies will be used by the website. Perhaps this is what the EU aspires to in terms of the implementation of the new rules on cookies. However there may be problems in implementation, firstly due to a lack of business awareness and understanding of the new regulations and their interpretation, and secondly in terms of the time and cost involved in implementing such a scheme or removing any cookies from business websites.

To Conclude

At the moment we are waiting to see how the EU and Ireland will interpret and enforce the regulations. Businesses need to review their cookie use and website privacy policies in light of the new regulations and make decisions on how they wish to proceed pending further guidance and decisions by the Data Protection Commissioner.

The regulations also brought in additional requirements in respect of marketing obligations for electronic marketing and phone calls.

For further information on the new regulation and how it affects your business please contact our Intellectual Property and Technology Unit.

Summary

New regulations on the use of cookies on websites.

Businesses should review their cookie use and website privacy policies.

It remains to be seen how the regulations will be interpreted and enforced by the Data Protection Commissioner.
 

Related Practice Areas
Search What's New
  • Choose one or more criteria to narrow your search