Data Protection Commissioner
Data Protection Commissioner
6. Storing and Accessing information on terminal equipment e.g. "Cookies"
Various provisions concerning electronic communications, including the storing and accessing of information on terminal equipment e.g. cookies, is set out in Statutory Instrument No. 336 of 2011 which implemented the ePrivacy Directive into Irish law on the 1st of July 2011. In order to meet the legal requirements, the minimum requirement is that clear communication to the user as to what he/she is being asked to consent to in terms of cookies usage and a means of giving or refusing consent is required. The Regulations do not prescribe how consent to drop cookies is to be obtained but envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings, as long as reliance is not placed on the default browser settings.
 
It is particularly important that the requirements are met where so called 'third party' or 'tracking' cookies are being deployed, such as when advertising networks collect information about websites visited by users in order to better target advertising. For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website's use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies. Practically, for Irish website operators we suggest the following for minimum compliance with these requirements:
 
 Consent
  • The consent of the user must be captured.
  • Consent may be obtained explicitly through the use of an opt-in check box which the user can tick if they agree to accept cookies. 
    The consent of the user must be captured
 
  • Consent may also be obtained by implication

Consent may also be obtained by implication

 

Not all cookies require consent to be used. These are cookies essential to delivering the service requested by the user - session cookies, authentication cookies (for the duration of the session,) and user security cookies. For example, for storage of items in a shopping cart on an online website advance consent will not be required.  This will generally be the case where the cookie is stored only for as long as the "session" is live and will be deleted at the end of the session.
 
 
 
Extensive guidance on the 'Cookie Consent Exemption' has been published by the Article 29 Data Protection Working Party and is available here.

Notification

As best practice, a positive action may be deployed to dismiss the notification.
[Note: many websites have addressed this issue by providing a 'hide' button which dismisses the notification.]

  • Consent should be sought as part of a "prominent notification" displayed on entry to a web site (this might be the home page of the site but may also be via a 'deep link' to an inner page, which a user has found from a search result, for example).
  • The notification should contain a link to a Cookie Statement which will outline in greater detail how the site makes use of cookies.

 

Cookies Statement

As best practice, the following information could also be provided in the Cookie Statement:
  • The Cookie Statement should contain clear and comprehensive information on how cookies are used, including information on the types of cookies used and details on how to remove them
  • Clear and comprehensive information
  • Itemised cookie types, including their purpose e.g. preferences such as language or, font, browsing & search history, tracking, session security and any third party cookies
  • Instructions on how to disable the cookies.

 

Third Party Cookies

Where third party cookies are being used, it is not sufficient to simply refer the user to third party websites. In such situations or where there are many cookies being created or read by the site (or its partners) we recommend the inclusion in the Cookies Statement of a tabulated explanation of all cookies with the following details:

  • Type
  • Name
  • A description of their purpose
  • Their expiry dates
  • Links to advertising networks' opt-out mechanisms for third party cookies

 

In terms of who is the data controller when third party cookies are deployed, the website operator is regarded as a joint data controller alongside the advertising network because even though the cookies are created by the third party site, the website operator has chosen to host these 3rd party cookies on its website.
Guidance on Online Behavioural Advertising (and the use of cookies) has been published by the Article 29 Data Protection Working Party and is available here.
 
 
Note: A mock web page based on this guidance can be viewed via this link   (PDF - 400Kb)