The Europe wide changes to the rules governing cookies pose a challenge for website operators. However, the rules may not be as onerous as issometimes claimed and compliance may be possible with a few simple amendments to the design of most sites.

Cookies, or small items of code which are downloaded from a website and stored on a user’s computer, are vital for the functioning of the modern web. Certain cookies, known as session cookies, are required to allow a user to log on to popular web services, such as online email or social networking sites. Many other sites use cookies to determine which parts of their website are the most popular with users and to analyse how their site is used. Cookies also play a key role underpinning the online advertisements that help fund much of the free content enjoyed online.

Due to their foundational role, it is no surprise that the recent changes to the rules governing cookies have engendered considerable debate and some concern. But what are these changes, and how do they affect most websites?

The basic rules governing cookies are set out in the E-Privacy Directive, which became part of Irish law through the E-Privacy Regulations. A new Amending Directive, which was supposed to come into force across Europe on 25 May 2011, amends these existing rules. The Irish measures adopting these new rules have not yet been enacted. However, the Department of Communications has issued draft regulations as part of a public consultation process.

Under the existing regime, an EU or Irish based website can lawfully use cookies if it is transparent with the user about their use and gives the user an ability to “opt-out” or reject their use. This transparency is usually achieved via a website privacy policy.

The new regime moves from this “opt-out” system to one based on user consent. In effect, a user must consent to the placing of the cookie on their computer. Unfortunately, there is some uncertainty as to what is required to get a valid user consent to the use of the cookie. This uncertainty lies at the heart of the controversy around this issue.

Certain regulators, notably the EU’s data protection advisory body, the “Article 29 Working Party”, appear to have taken the view that the new regime requires that a user give an “opt-in” consent on a website’s homepage before any cookies can be used. This is well illustrated by the website of the UK data protection regulator, the Information Commissioner, which requires that users explicitly agree to the use of cookies through ticking the relevant box and clicking “continue”.

However, a close reading of the Directive, and the draft Irish Regulations, suggests that this invasive approach may not actually be necessary. While the new regime requires that a user consent to the use of cookies, it does not require that they give express or explicit consent. It is arguable that the use of a website by a user who is aware that the site uses cookies may suffice to prove consent. This interpretation of the consent requirement would allow websites to remain compliant by being more transparent about the use of cookies. For example, it may be necessary to provide a disclosure about the use of cookies as part of a site’s homepage. In this context, it is worth nothing that the draft Irish regulations specifically state that it is not sufficient to solely provide the required information in a statement of terms and conditions or a privacy policy.

We must await the new Irish E-Privacy Regulations before we will precisely know how the new cookie regime will apply to Irish based websites. However, at this early stage, we can tentatively suggest that while increased disclosure will prove necessary, website operators should, in most cases, be able to avoid drastic redesigns of their service.