The Office of the Data Protection Commissioner (DPC) sent a letter to approximately 80 websites before Christmas, asking them to provide information within 21 days on the steps that they have taken to meet the obligations in relation to "cookies" required by the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the Regulations).

The DPC’s website states that the websites in question were chosen at random on the basis that they are among the most popular used by the general public. As such, receipt of a letter does not indicate non-compliance by a website. The letter merely asks the websites to explain what they have done to comply with the revised rules for cookies, and, if they have not complied, to set out details of the steps being taken to achieve compliance.

Subject to certain exceptions (described below), the Regulations require clear information to be given to users regarding the various types of cookies deployed on a website and the purposes of such cookies. Significantly, they also oblige websites to obtain consent from the user to the use of certain types of cookies. These requirements entered into force on 1 July 2011.

The Regulations do not apply to cookies which are used for the sole purpose of carrying out the transmission of a communication over a network, for example load balancing cookies. Cookies which are strictly necessary in order to provide a service which has been explicitly requested by the user are also exempt from the information and consent requirements. As both these exemptions are narrowly drawn, it is necessary to consider the various cookies used on a site in some detail in order to determine if they fall within the exemptions.

As a first step to implementing a cookies policy, a cookies audit should be undertaken to ascertain what cookies are used on a website and what their purpose is. Each cookie can then be considered in turn and the cookies policy drafted accordingly. When this has been completed it is necessary to consider how consent to the use of cookies, if any is needed, will be obtained.

In practice, websites seek to achieve compliance with the consent requirement in a number of ways. For example, some websites include a “pop up” or “banner” on the website which informs users that the website uses cookies and provides a link to the cookie policy for more information. Some websites then require the user to click on an "Agree" button on a pop up to indicate their consent, or inform the user on the pop up or banner that further usage of the website indicates consent to the use of cookies. There are also some software tools available which allow a user to turn the different types of cookies on or off individually e.g. the user might have the option of turning off all advertising cookies. In general, the method chosen to achieve compliance with the Regulations will depend on the type of cookies being used on the website.

Deputy Commissioner Gary Davis noted that the DPC has been disappointed with the level of compliance by Irish websites with the Regulations, which appears low compared to the UK. The Deputy Commissioner further stated that the DPC will be obliged to take enforcement action where websites fail to engage with it and meet their legal obligations.