On 1 July 2011 the law on the use of cookies on websites changed significantly.  Under the new law website operators must provide “clear and comprehensive information” to the user or subscriber about the type of cookies being used.  This information must be both “prominently displayed and easily accessible” and must set out all of the purposes for which the cookies are being used.  Except in limited instances, the user or subscriber must also specifically consent to the use of the cookies. 

Old v New

It is no longer sufficient for website operators to notify users or subscribers of the use of cookies on their website via wording contained in the operator’s terms and conditions or privacy statement.  The standard paragraph, which will be familiar to many, had the effect of allowing the user to “opt out” of using cookies.  The user was then directed to disable the cookies on his browser settings.  Since July 2011, website operators must specifically explain what type of cookie is being used.  Generally, they are also required to obtain the specific consent or “opt-in” of the user.  The new law also covers the use of cookies by Apps. 

What Lies Ahead?

The Data Protection Commissioner (DPC) has not issued any specific guidance on what might be acceptable to achieve compliance with the new law, but he appears to be hinting at a solution via browser settings.  He has, however, noted in a guidance note that the “settings currently available on the main browsers do not appear to be sufficient in themselves to meet” the new obligations.  Other possible solutions for compliance might include (i) the use of pop-up menus requesting consent; (ii) ticking a box on revised terms and conditions; (iii) feature-led consent (such as watching a video clip or activating personalised content) where details of the cookie would be explained and consent would be obtained from the user on activating the feature; and (iv) settings-led consent (such as choice of language, colour scheme, text size) where details of the cookie would be explained and consent would be obtained from the user on activating the particular setting.
 
The UK Information Commissioner (the UK equivalent of the DPC) has opted for a solution similar to number (i) above to ensure compliance by his website with the UK equivalent of the new law, though there have been criticisms of the content of his fair processing notice.

Any Exceptions?

The DPC has said that session cookies specifically requested by the user, such as those to facilitate storage of items in an online shopping basket, are exempt from the new law.  Given that many online stores now use persistent cookies for such tasks, this exception may not be of much assistance to them.  It has been suggested that the exception would not cover a “wish list” feature whereby items remain stored for later retrieval by the user after his browsing session expires. 

Non-Compliance

The UK Information Commissioner has indicated that compliance with its new cookie laws will not be enforced in the first twelve months.  No such guidance has to date issued from the Irish DPC.  Given the fundamental change to the use of cookies brought about by the new law and the prevailing use of cookies by almost all operators, it will be interesting to see how the new law will be enforced.  A breach of the new law does not give rise to a penalty but the Office of the DPC has all of the powers available to it under the Data Protection Acts 1988 and 2003 to ensure compliance, including the issuance of enforcement notices.

Contributed by Brian McElligott and Leo Moore.