Some of the visitors to our website may be aware of an update to the laws surrounding your privacy on the internet and the fact that in order for a website to function software otherwise known as “cookies” are employed to assist in areas such as remembering your preferences, enabling the use of a shopping cart or offering you the option to share information from a website via social media.
For those of you aren’t aware of this, the background to this post on EU Cookie Law is that in 2011 EU legislation was updated to ensure that the privacy of browsers on the web was protected and that they are made aware of information that may be tracked. As there were a considerable number of posts on the web which indicated that the deadline was May 2012 and which didn’t appear to clarify the Irish situation, I sought the advice of the Data Protection Commissioner who have now granted me permission to share the response to my query with you.
Based on the information available to me in a series of online posts I posed some queries to the Data Protection Commissioner which are also listed below in order that their reply makes sense within the context of my questions;
The Marketing Shop query –
I’m wondering if you can advise where I can obtain exact details as to what is required of a website owner in respect of the law which I believe was introduced in 2011 but had an amnesty until this week.
I have searched extensively and can find little information from Ireland but quite a lot from the UK and US which would indicate that;
- The law applies to websites hosted within specific EU countries of which Ireland is one
- The law applies to websites that receive a significant portion of traffic from within these EU states
- That cookies will be incorporated where ads or affiliate links are in place as there is a payment situation in place there
- That ideally we advise people our policy has been updated upon arrival at our site via a banner, pop-up or similar as opposed to a standard link in the footer
- That Google Analytics is different to other cookies as it’s a measurement tool
- That people should have the option to opt out of cookies even if it’s at the expense of the functionality of the site
- That cookies which are essential in the functionality of a website e.g. cookies which remember items you’ve purchased on an ecommerce shopping cart, are exempt
I’m not clear on whether we are obliged to name any add-ons to the site e.g. Mailchimp software for email marketing or Social Media for sharing information?
I’ve updated the text and added a banner on my own site www.themarketingshop.ie but I’m not sure whether there are specifics that apply to Ireland?
Any information or links to the rules for Ireland would be greatly appreciated.
Reply from Data Protection Commissioner –
I can advise that, further to the provisions of S.I. 336 of 2011 which implements the ePrivacy Directive in Ireland, we would expect there to be information available on an organisation’s homepage in relation to cookie usage generally. These Regulations came into effect on the 1st of July 2011 and there was no amnesty in place.
The Regulations do not prescribe how consent is to be obtained, other than that this should be as user friendly as possible. They envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings, as long as reliance is not placed on the default settings. In order to meet the legal requirements, such settings would require, as a minimum, clear communication to the user as to what he/she is being asked to consent to and a means of giving or refusing consent to any information being stored or retrieved. It is particularly important that the requirements are met where so called “third party” or “tracking” cookies are involved – such as when advertising networks collect information about websites visited by users in order to better target advertising.
For the Irish market we would be satisfied with a prominent notice on the homepage with an ability to click through to make informed choices.
If a website is localised to other markets in the EU, a ‘pop-up screen’ asking the user to provide consent can be used to ensure compliance.
However, there are other ways to obtain consent, such as the following:
- A static information banner on top of a website requesting the user’s consent to set some cookies, with a hyperlink to a privacy statement with a more detailed explanation about the different controllers and the purposes of the processing (e.g. www.ico.gov.uk).
- A splash screen on entering the website explaining what cookies will be set by what parties if the user consents.
- A default setting prohibiting the transfer of data to external parties, requiring a user to click to indicate consent for tracking purposes.
- A default setting in browsers that would prevent the collection of behavioural data
Information that is necessary to facilitate the transmission of a communication, or information that is strictly necessary to provide an information society service explicitly requested by the user, is not subject to this requirement. If a cookie is strictly necessary to facilitate a transaction requested by the user – for example, storage of items in a shopping cart on an online website – advance consent will not be required. This will be the case where the cookie is stored only for as long as the “session” is live and will be deleted at the end of the session. Information on such use should be readily available to the user of a website.
In relation to Google Analytics, we advise that its use should be in line with the advice given by the Hamburg Data Protection Authority, which can be found at the following link:
It is currently considered that the consent obligations in relation to behavioural advertising cookies fall into a higher category and this remains outstanding at the moment pending discussions at European level as to how consent is obtained in such circumstances.