Home » News Stories » Website Operators Burning Cookies

News Stories

Job Search


Back to News »

Website Operators Burning Cookies
Feature Friday Article

Share this:
digg it  | kickit | Email it | | reddit | liveIt
Subscribe to IrishDev News RSS 
DateTuesday, July 05, 2011
AuthorMcCann Fitzgerald

Website Operators Burning Cookies

Dublin Law Firm McCann Fitzgerald Spell Out the Issues for Website Operators and Latest  EC Regulatations



MCCANN_FITZGERALD_Annette_Hogan.pngOn 1 July 2011, important changes to existing laws on cookies were introduced by the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, which are designed to implement the provisions of the ePrivacy Directive (Directive 2009/136/EC) and repeal existing laws in this area (ie SI 535/2003 and SI 526/2008) in their entirety.



As the Regulations impose more stringent requirements in respect of the use of cookies, ensuring compliance with their terms will present significant practical challenges to website operators. 



A cookie is a small text file which is stored on, and later retrieved from, a user's computer or other device. The main purpose of a cookie is to allow the website operator to identify the relevant device and to recognise repeat visitors to the website. Such repeat visits allow the website operator to track user trends and to obtain a detailed statistical analysis of visitors to the site. In particular, cookies can be used to build a profile of specific users and provide an invaluable tool for any website operator wishing to engage in behavioural marketing based on user preferences.




Previously, it was sufficient for website operators to afford users the right to opt-out from the use of cookies. This was generally achieved by informing users, as part of the website’s terms and conditions or privacy policy, of their right to reject cookies and by explaining that this could be done by disabling the cookie acceptance function in their internet browser.




However, such an approach is no longer sufficient and the prior consent of website users is required. Specifically, Regulation 5(3) provides that a person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user unless such subscriber or user;

(a) has given consent to that use; and

(b) has been provided with clear and comprehensive information, in accordance with the Data Protection Acts 1988 and 2003 (“DPA”), which is:

(i) prominently displayed and easily accessible; and

(ii) includes, without limitation, details of the purposes of the processing.



The clear intention of Regulation 5(3) is that information requirements in sub- section (b) must be complied with before consent is obtained.



As such, very clear information will first need to be given to users regarding the various types of cookies deployed on the website and the purpose of such cookies. A positive indication of consent will then be required so as to ensure that consent is freely given, specific and constitutes an informed indication of the data subject’s wishes.



A Web-Bruising User Experience

Not surprisingly, the question causing greatest consternation amongst website operators is how the requirement for such prior informed consent can be satisfied. In particular, website operators are concerned that if consent must be obtained (eg through the use of pop-up menus or similar devices) each time a cookie is downloaded or accessed, this will significantly disrupt the user’s overall browsing experience.



In this context, Regulation 5(4) is worthy of note and provides as follows:


(a) The methods of providing the information and giving consent should be as user-friendly as possible; and


(b) Where technically possible and effective, having regard to the provisions of the DPA, the user’s consent to the storing of information, or gaining of access to information already stored, may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given consent.



What the Irish DPC Says

The Office of the Data Protection Commissioner (“DPC”) published a guidance note the day the Regulations entered into force (the “DPC Guidance”). The DPC Guidance makes clear that the prior consent requirement does not apply in circumstances where the placing of a cookie on the user’s terminal equipment is essential to facilitate a transaction requested by the user and gives the example of items being stored in an online shopping cart prior to purchase. This is subject to the proviso that the cookie is only stored for as long as the session is live and is deleted at the end of the session. Information on the use of cookies in this context should also be made readily available.

Given the potentially disruptive effect of using pop-up menus or similar methods to obtain consent, the possibility that consent might be obtained through the use of appropriate browser settings has given some hope to website operators. In this regard, however, the DPC Guidance makes clear that current browser settings are not sophisticated enough to meet the requirements of Regulation 5(4)(b).



The likely rationale for this view is that the default position for most browser settings is to accept cookies unless the user takes positive steps to block the cookie acceptance function on its browser. This is not consistent with the requirement under the Regulations to obtain a fully informed positive indication of consent.



The DPC further suggests that regard should be had to the Article 29 Working Party Opinion 2/2010 on online behavioural advertising (the “Opinion”) in determining how the consent requirement under the Regulations may be met.


The key points from the Opinion are as follows:

  • Browsers which reject cookies by default and require the user to engage in affirmative action to accept the initial acceptance and the continued transmission of cookies by specific websites may be able to deliver valid and effective consent. The Opinion encourages industry to engage with browser manufacturers to work towards such a solution;
  • Pending the implementation ofappropriate changes in browser settings,website operators will need to adopt other means of obtaining prior consent through the use of opt-in mechanisms.


The Opinion does not, however, specify what such opt-in mechanisms might involve (eg pop-up menus or other technical devices); and

  • Where consent is provided up-front,this should be adequate for subsequent readings of the cookie (ie without the need to obtain consent every time the cookie is used) provided appropriate safeguards are adopted. These include:
    • (i) limiting the scope of the consent in time (eg 12 months);
    • (ii) providing a means of easily revoking consent; and
    • (iii) adopting a clearly visible symbol or tool on the website reminding users that cookies are in use (which should also serve to remind them that they can revoke consent at any time).


Browser Manufacturers

Until such time as browser manufacturers adjust their technologies so that rejection of cookies is the norm, website operators will be required to find some other means of satisfying the information and prior consent requirements under the Regulations. Guidance published by the UK Information Commissioner (“ICO”) on the UK equivalent of the Regulations provides a number of practical suggestions as to how such requirements may be satisfied.


These include:

(a) the use of pop-up menus asking users for consent, although the ICO acknowledges that this may spoil the experience of using the website, particularly if several cookies are used;

(b) through the use of website terms and conditions, although the ICO states that users would have to be made very clearly aware of the changes and their rights in respect of cookies. They would then have to give a positive indication of consent (eg by ticking a box) to the acceptance of cookies; and

(c) settings-led consent – where website users make particular choices about how they want the website to work for them (eg accessing a site in a particular language, etc). A positive consent to the acceptance of cookies can be incorporated as part of this process; and

(d) feature-led consent – where a website chooses to use a particular feature of the site (eg watching a video clip, etc), consent to cookies can be obtained when the user asks the website to switch on the relevant function



It is not clear whether the Irish DPC would regard the above measures as being adequate to satisfy the requirements of Regulation 5(3). It is worth noting, however, that the draft regulations published in April 2011 expressly provided that it would not be sufficient to provide the required information to the subscriber or user within a statement of terms and conditions or a privacy policy. This provision has not found its way into the final version of the Regulations which may leave open the opportunity for website operators to obtain consent by way of website terms and conditions as per the ICO suggestion above.




Although neither the Regulations nor the DPC Guidance say so specifically, it is hoped that some degree of tolerance will be afforded to website operators during the time which it will take to incorporate appropriate technologies into their websites for the purposes of obtaining prior consent. Failure to comply with the provisions of Regulation 5(3) is not expressed to be a criminal offence.



Notwithstanding this, as the DPC will have the usual range of civil remedies at his disposal for non-compliance (eg powers to investigate, issue enforcement and information notices, risk of naming and shaming in the DPC annual report, etc) website operators should be mindful not to sit on their hands and should start working on appropriate cookie opt-in mechanisms as a matter of priority.



Annette Hogan, a Partner in the Technology & Innovation Practice at Dublin law firm McCann FitzGerald highlights the importance for Website Operators: "The regulations impose more stringent requirements regarding the use of cookies and thus compliance with their terms will present significant practical challenges to website operators.

In fact, website operators should be mindful not to delay and should start working on the appropriate cookie opt-in mechanisms as a matter of priority."



The Regulations have also tightened up the laws on direct marketing with prior consent now being required for marketing calls to mobile phones. Further, the Regulations have placed mandatory notification of security breaches by telecommunications companies and internet service providers on a statutory footing attracting criminal liability for non-compliance. Such changes will be the subject of a separate McCann FitzGerald briefing.









Corporate Information


Speerhead IrelandVisit McCann Fitzgerald









People reading this article also read....


More Web News, Events and Jobs on






Get Instant Irish Tech News Updates....

Join at Facebook Join at LinkedIn Follow IrishDevdotcom on Twitter



Got a Story – Share it with the Irish Software Community – Email us at

Back to News »
digg it  | kickit | Email it | | reddit | liveIt | RSS
Low Cost, No Frills Coworking and Hotdesks
Unix Tutorials