The Data Compliance Manager
XXXX
XXXX
December, 2012.
Re: The Privacy and Electronic Communications Regulations 2011
Dear Data Compliance Manager
On 1 July, 2011 Statutory Instrument No. 336 of 2011 (SI 336 of 2011) came into law in This instrument introduced a number of amendments to previous regulations which had been in force since 2003. It gives effect to new provisions which were introduced across the EU by Directive 2009/136/EC and Directive 2006/24/EC. This Office published a guidance note in July 2011 to explain the changes which the instrument introduced. I enclose a copy for ease of reference. I want to draw attention in particular to Section 6 of the guidance note – "Storing and Accessing information on terminal equipment" – e.g. "Cookies".
The purpose of this letter is to gather information to assist the Data Protection Commissioner in understanding how organisations are working towards, or have achieved compliance with the revised rules for cookies. These rules are set down in Regulations 5(3) and 5(4) of SI 336 of 2011. We are writing to you as your website is one of the most popular used by the general public.
Our expectation is that you will be able to demonstrate the action your organisation has taken to comply with the revised rules for cookies, given the passage of almost eighteen months since the instrument took effect.
If your organisation has not yet achieved compliance, please provide an explanation setting out why it has not been possible to comply by now, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.
It will assist the Data Protection Commissioner if you could also explain what you are doing to ensure users are aware of any third party activity, such as analytics or advertising, taking place on your website, and what information you are providing to users about how to control that third party activity via their browser.
The Data Protection Commissioner's aim is to ensure that organisations comply with the law. In cases where organisations refuse or fail to comply voluntarily, the Data Protection Commissioner has enforcement powers available to him.
Please inform the Data Protection Commissioner of your progress towards compliance with Regulations 5(3) and 5(4) of SI 336 of 2011 within twenty one days of receipt of this letter by responding in writing or email to the undersigned.
Yours sincerely,
