New electronic privacy regulations came into force in Ireland at the beginning of this month, transposing an EU directive into Irish law (similar rules now apply in the UK too).
Most attention has been on how the rules clamp down on “cold calling” and other spam, but many Irish businesses could face a much bigger headache: how their websites use cookies.
What are cookies?
Cookies are pieces of information that websites can place on a user’s computer, and which can later be retrieved by the website so that it can recognise the user or the machine. Cookies come in several types:
A session cookie can be used during a visit to a website, then deleted when the user leaves. For example, during an online transaction it can “remember” what a user has added to a shopping cart on one screen when they go to another screen
A persistent cookie isn’t deleted at the end of the session, and can be used to recognise the user and specific information from session to session. To take a simple example, a weather website may use a persistent cookie to recall whether a user preferred weather forecasts in centigrade rather than fahrenheit
For more information about cookies, how they work and choices you can make through your own browser settings, see AllAboutCookies.org
Previously, websites could use a privacy statement to tell visitors how cookies were being used, and explain how they could “opt out” if they objected. The new rules add a much more stringent “opt in” requirement.
Here’s what the Data Protection Commissioner’s website says on the issue:
“Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.”
A guidance note from the Commissioner (PDF, 202KB) also explains that individuals must be given clear and comprehensive information about why the data is being collected, and their consent must be given.
Persistent cookies
In a nutshell, the new rules mean you must ask visitors for their consent to have persistent cookies – as opposed to session cookies (which are deleted when the visitor leaves the site)
Consent is not required for cookies that are strictly necessary to facilitate a transaction requested by the user, such as storage of items in an online shopping cart – but in this case the cookies must deleted at the end of the session.
The Data Protection Commissioner’s guidance note says:
“In all other cases, the requirement for clear and comprehensive information that is prominently displayed and easily accessible will apply, as well as the requirement for user consent. The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be as user friendly as possible.”
In other words, it’s quite a grey area. In practical terms, businesses may achieve this in various ways, such as by asking users to click an opt-in box. But it also makes good business sense to make this accessible and as user-friendly as possible, while minimising any disruption.
Cookies for analytics
From a privacy perspective, some cookies are more invasive than others. For example, a service provider could use cookies to display higher prices to repeat visitors, misleading consumers about why the prices are rising, and the new regulations may go some way in clamping down on such unscrupulous practices.
On the other hand, some persistent cookies are used to compile basic traffic data such as returned versus new visitors. Many Irish businesses now use services such as the popular Google Analytics to assemble website traffic data, and up to now persistent cookies have been used to identify return visits.
Even so, the new regulations mean user consent will now be required for these types of cookies.
To comply with the new rules this can involve substantial changes to a website such as amendments to website templates, or the addition of interactive forms so that users can opt in to having persistent cookies.
The UK Information Commissioner is giving businesses a grace period of a year to make these types of changes, though the Irish Data Protection Commissioner has yet to say whether a similar grace period will operate here.
Browser settings
Under the new regulations, the user’s consent to the storing of information may be given by the use of appropriate browser settings. But currently browsers default to allowing all cookies.
Therefore, as things currently stand, browsers are not a “get out” clause. As the Commissioner’s guidance note says, “The settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation.”
Apps
Bear in mind, too, that the new rules cover not only website cookies but also “other situations where information is placed on, or retrieved from, terminal equipment”, such as apps.
