NEW EU COOKIE RULES:THE EUROPE-WIDE changes to the rules governing cookies pose a challenge for website operators. However, the rules may not be as onerous as is sometimes claimed, and compliance may be possible with a few simple amendments to the design of most sites.
Cookies are vital for the functioning of the modern web. Certain cookies, known as session cookies, are required to allow a user to log on to popular web services, such as online email or social networking sites.
Many other sites use cookies to determine which parts of their website are the most popular and to analyse how their site is used. Cookies also play a key role underpinning the online advertisements that help fund much of the free content enjoyed online.
The basic rules governing cookies are set out in the E-Privacy Directive, which became part of Irish law through the E-Privacy Regulations. A new Amending Directive, which was supposed to come into force across Europe on May 25th, 2011, amends these existing rules. The Irish measures adopting these new rules have not yet been enacted. However, the Department of Communications has issued draft regulations as part of a public consultation process.
Under the existing regime, an EU or Irish-based website can lawfully use cookies if it is transparent with the user about their use and gives the user an ability to “opt-out”. This is usually achieved via a website privacy policy. The new regime moves from this “opt-out” system to one based on user consent. In effect, a user must consent to the placing of the cookie on their computer.
Unfortunately, there is some uncertainty as to what is required to get a valid user consent to the use of the cookie. This uncertainty lies at the heart of the controversy around this issue.
Certain regulators, notably the EU’s data protection advisory body, the “Article 29 Working Party”, appear to have taken the view that the new regime requires that a user give an “opt-in” consent on a website’s home page before any cookies can be used.
However, a close reading of the directive, and the draft Irish Regulations, suggests that this invasive approach may not be necessary.
While the new regime requires that a user consent to the use of cookies, it does not require that they give express or explicit consent. It is arguable that the use of a website by a user who is aware that the site uses cookies may suffice to prove consent.
This interpretation would allow websites to remain compliant by being more transparent about the use of cookies. For example, it may be necessary to provide a disclosure about the use of cookies as part of a site’s home page. In this context, it is worth nothing that the draft Irish regulations specifically state that it is not sufficient to solely provide the required information in a statement of terms and conditions or a privacy policy.
We must await the new Irish E-Privacy Regulations before we will precisely know how the new cookie regime will apply to Irish-based websites. However, at this early stage, we can tentatively suggest that while increased disclosure will prove necessary, website operators should, in most cases, be able to avoid drastic redesigns of their service.
This is an edited version of an article on the website of Mason Hayes Curran, attributed to Oisin Tobin, at mhc.ie