Cookies, Mandatory Breach Notifications and Direct Marketing

New Regulations

Important changes to privacy and data protection law in Ireland were introduced by revised E-Privacy Regulations which came into force on 1 July 2011 (the “Regulations”). The Regulations generally apply to any entity using electronic communications networks to communicate with customers online which includes using a website or by means of email. Certain provisions specifically apply to electronic communications providers such as telecommunications companies and internet service providers (“ISPs”).

The Regulations replace and consolidate the previous regulations in this area. However, they do not replace the obligations that apply to data controllers and data processors under the Data Protection Acts 1988 and 2003. These obligations will continue to apply alongside the updated Regulations.

‘I Do’ – Consent to Cookies

Cookies are small text files on web browsers that store user information. They can be used to remember products in users’ shopping carts, to store passwords, etc.  The Regulations amended the law to provide that website users must be given the opportunity to “opt-in” to the use of cookies or any technology used to store information or gain access to information stored on users' devices (previously users had to “opt-out”). The Office of the Data Protection Commissioner (the “Commissioner”) has stated that seeking to obtain consent by relying on the terms of the website's privacy statement will no longer suffice. The law is not prescriptive in terms of what methods are to be employed to ensure compliance, which means that website operators are allowed a degree of flexibility to create solutions to ensure compliance. Although the Commissioner has issued a guidance note to assist with compliance with the Regulations, it does not detail any preferred method of compliance with this “opt-in” requirement. One suggestion set out in the guidance note is to capture users’ consent using the browser settings, but this would require the co-operation of browser manufacturers to change the default settings. The Commissioner is open to consultation with organisations as to alternative technical methods that could be employed in this regard but in the meantime, website operators will need to determine what type of mechanism to use on their websites in order to ensure compliance with the law.

The only exception to the requirement for “opt-in” consent is where the information is strictly necessary to provide a service specifically requested by the user, for example, storage of items in an online shopping cart. Website owners should consider conducting an audit of the cookies used on their websites to analyse what types of cookies are strictly necessary to avail of this exemption.

Mandatory Breach Notification Requirements & Security Obligations

Prior to the Regulations coming into force, a Data Security Breach Code of Practice (the “Code”) was introduced by the Commissioner in July 2010. While the Code did not have the force of law, it nevertheless reflected the best practice in the area.

In addition to the general obligation under the Data Protection Acts to keep personal data secure, undertakings providing electronic communications networks or services (eg telecommunications companies and ISPs) are obliged under the Regulations to ensure that appropriate technical and organisational security measures are in place to keep data secure and to inform subscribers, without delay, of any particular risk to security of the network. Where the risk lies outside the scope of the measures to be taken by the service provider, subscribers must also be advised of any remedies available to them and the likely costs involved in the application of such remedies.

The Regulations also require every security breach (ie where there has been an unauthorised disclosure, loss, destruction or alteration of personal data) to be notified to the Commissioner without undue delay even if the breach is unlikely to have any adverse effect on the privacy of a subscriber.

Subscribers must also be notified of the security breach where the breach is likely to adversely affect the personal data or privacy of that subscriber.  While the Commissioner must be notified of every breach, notification to the subscriber is not necessary where the Commissioner is satisfied that the information, which is the subject of the breach, is unintelligible in the hands of a third party – in other words, if the information constituting the personal data is adequately encrypted.

Service providers must also maintain an inventory of personal data breaches which can be reviewed by the Commissioner detailing the facts surrounding the breach, the effects of the breach and any remedial actions taken by the service provider.

Failure to comply with the breach notification requirements may result in a criminal prosecution with fines between €5,000 and €250,000 per offence.  It is important therefore that telecommunications companies and ISPs review current policies and procedures regarding security breaches to ensure that if a breach should occur, processes are in place to record the details of the breach and to ensure timely notification to the Commissioner and, where relevant, to the individuals affected.

Direct Marketing

The existing law in relation to direct marketing and in relation to postal marketing (under the Data Protection Acts) remains unchanged, but the Regulations introduce certain new provisions relating to marketing carried out by means of an electronic communications service – for example, by phone, fax, email or SMS.

Mobile Phone

One of the new requirements is that advance consent must be obtained prior to contacting a person (either in their individual or business capacity) by mobile phone for marketing purposes unless that person has recorded their preference to receive direct marketing calls on the National Directory Database (the “NDD”). The Regulations also clarify that if an entity is sending an informational message (such as information relating to a change in the service) by SMS, marketing material cannot be included unless the recipient of the message has given their prior consent to receiving the marketing material.

Email

Helpfully, the Regulations clarify the difference between marketing to a “natural person” and marketing to an individual in a business context. Advance “opt-in” consent is not required for the use of an individual’s business email address for direct marketing where the email address reasonably appears to the sender to be an email address used mainly by the subscriber/user in their official or business context, and where the marketing email relates solely to those business activities.

The Regulations also confirm that “opt-in” consent is not required for email marketing where the organisation obtained the customer’s contact details in the context of a sale of a product or service which occurred not more than 12 months prior to sending the marketing emails, or where the customer’s contact details were used for marketing emails within that 12 month period (otherwise known as “soft opt-in”).

Users should be given an opportunity each time they receive a marketing communication to opt-out of the receipt of further marketing communications by that means, in a cost-free and easy manner.

Breach of the rules relating to direct marketing is a criminal offence that can attract fines ranging from €5,000 up to €250,000 for each offence, (ie each SMS message could be deemed to be a separate offence).