The Office of the Data Protection Commissioner (Commissioner) has issued a press release confirming that it in the coming months it will be looking at how businesses and website owners are complying with the new “cookie” obligations which came into force in July 2011.
The new cookie obligations were introduced by Statutory Instrument 336 of 2011 (SI 336) in July 2011. SI 336, implemented the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulation s 2011 (regulations).
A cookie is a small amount of data that is sent to a users’ browser from a website’s computer and is stored on the hard drive of the user’s computer. Businesses use cookies on their websites to understand site usage, to improve site content and to keep track of what viewers are looking at and purchasing on their site.
The Commissioner recently wrote to 80 different website owners, comprising of the most high profile and most viewed websites in Ireland seeking information on the steps taken by the website owners to meet the obligations placed on them by the regulations.
Whilst the new regulations are vague in their specific requirements, the regulations require websites to have a clear, prominent and comprehensible cookie policy explaining what cookies are and the particular websites reasons for using cookies. In particular the Commissioner is looking to ensure that all website owners have amended their privacy and cookie policy to take on board the stricter obligations under the regulations.
The new regulations provide that all websites must now have users’ consent before the website uses cookies to gather and store information. The regulations do not prescribe how the information is to be provided or how the consent is to be obtained and it is not clear if express consent is required. There appears to be a number of ways to obtain users’ consent including pop up notices, consent boxes, appropriate language or through the website’s general terms and conditions.
The regulations indicate that the methods of providing information and giving consent should be as user friendly as possible. The regulations also indicate that in certain circumstances users may be able to give consent through their browser settings and the use of browser settings may be a comprehensive means of managing consent.
The Regulations further provide that particular attention should be paid in relation to “third party” or “tracking cookies” which occurs where the information obtained by the cookies is then used by third parties such as advertisers or used in relation to applications on websites. In order to comply with the regulations it is necessary for businesses to clearly specify on their websites the different types of cookies being used on the website and clarify which cookies are used by third parties.
It is recommended that business set out a detailed list and description of the different type of cookies used on websites (for example strict necessary cookies, performance cookies, functionality cookies, targeting or advertising cookies etc.) to ensure compliance with the new obligations.
The Commission has confirmed that it will be continuing to raise awareness and conduct an assessment of compliance with the regulations in relation to all websites throughout the coming year. It is therefore prudent that all businesses and organisations conduct a comprehensive audit of their websites to ensure compliance with the regulations.