The Data Protection Commission (DPC) has just released new guidelines on the use of cookies on websites, after a survey/sweep of Irish websites. The results were startling but not surprising, indicating that 38 out of the 40 sites picked were not fully complaint with the law as it now stands. Along with the guidelines, the DPC has given a 6-month window for companies to get their sites in order, after which action up to and including enforcement action will be considered.

The reason we were not surprised by the outcome of the survey/sweep is that we are aware that there is a lot of confusion, lack of information and misinformation surrounding the use of cookies on websites, both first party cookies and third-party cookies. This blog (in 2 parts) hopes to dispel some of that misinformation and help clarify for companies what they need to be aware of and that they need to act now.

THE LAW

Firstly, let’s set out the law as it now stands. In Ireland we need to look at Regulation 5 of the ePrivacy Regulations 2011, subsection 3, which effectively states that ‘cookies’ shall not be used unless all of the following criteria has been adhered to:

I. the user has given their consent to that use, 

and 

II. the user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which is: 

a. both prominently displayed and easily accessible, 

and 

b. includes, without limitation, the purposes of the processing of the information.

We emphasise that all the above criteria must all be followed, and this is where a lot of websites are falling down, more about this later in part 2.

While we are waiting for a new ePrivacy Regulation to update the current law, we have had the GDPR in 2018, which while not directly dealing with this area of data protection, did update what is meant by ‘consent’ and it is clear from the DPC guidance that the above ‘consent’  is now as set out in the GDPR, Article 4(11) and Article 6(1)(a), which states how a user’s consent must be obtained:

it must be obtained by means of a clear, affirmative act and be freely given, specific, informed and unambiguous

So, to conclude, the law as it stands in Ireland on cookies is set out in Regulation 5 of the ePrivacy Regulations 2011, which should be read in conjunction with the meaning of consent set out in the GDPR.  This is the criteria that the DPC has stated, they will be using, to look at websites ‘cookie’ compliance going forward.

FYI, the DPC and the caselaw of the European court has clearly stated that you are the data controller for your website, so it is your responsibility, even if a third party manages it for you. 

In part 2 of this article we will look at what the application of the law actually means in action, on your website, to ensure compliance with the DPC’s guidelines.