Changes To 'Cookie' Law

Author:Ms Kate Colleary and Andrea Flynn
Profession:Eversheds O'Donnell Sweeney

New rules governing the use of internet cookies and other similar technologies have come into force following the Irish transposition of an EU Directive.1 The new Irish Regulations take effect from 1 July 2011 and require that website operators obtain "opt-in" consent before placing cookies on a user's computer or mobile phone. A key issue now facing businesses operating websites in Ireland is how they can obtain opt-in user consent while causing minimum impact to the user experience and without having to drastically reform their websites.

Cookies are small files which are downloaded from a website and stored on a user's computer or mobile phone allowing the website to recognise the user's device and hence enabling the website to provide a more customised and a smoother user interface. As well as facilitating user experience cookies are increasingly being used as a means to collect information on users for the purposes of targeted advertising.

Prior to the introduction of the Regulations, Irish website operators were permitted to use cookies once they provided users with the right to "opt-out" of the use of cookies. In practice this could be achieved by advising users by means of the website's privacy policy that the website used cookies and providing them with information on how they could opt-out of the use of cookies using their internet browser options.

Under the new rules, website operators must obtain "opt-in" user consent before placing a cookie on a user's computer. In addition, the new rules require that users consent to the use of cookies upfront having been given clear and comprehensive information about the purpose for which the cookies will be used. There is a limited exception to this, cookies that are strictly necessary to operate a transaction or service requested by the user are exempt from the rules, for example, where a user is storing items in an online shopping cart.

One of the key issues arising from the new rules is how this consent requirement may be achieved in a pragmatic way. The Office of the Data Protection Commissioner (ODPC) has published a guidance note on the Regulations which suggests that advance consent may be achieved by the appropriate use of browser settings. It is clear however that the fact that a user has allowed the use of cookies as a result of default settings in its internet browser will no longer be sufficient under the new rules. Indeed...

To continue reading