The Office of the Data Protection Commissioner (DPC) sent a letter to approximately 80 websites before Christmas, asking them to provide information within 21 days on the steps that they have taken to meet the obligations in relation to "cookies" required by the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the Regulations).
The DPC’s website states that the websites in question were chosen at random on the basis that they are among the most popular used by the general public. As such, receipt of a letter does not indicate non-compliance by a website. The letter merely asks the websites to explain what they have done to comply with the revised rules for cookies, and, if they have not complied, to set out details of the steps being taken to achieve compliance.
Subject to certain exceptions (described below), the Regulations require clear information to be given to users regarding the various types of cookies deployed on a website and the purposes of such cookies. Significantly, they also oblige websites to obtain consent from the user to the use of certain types of cookies. These requirements entered into force on 1 July 2011.
The Regulations do not apply to cookies which are used for the sole purpose of carrying out the transmission of a communication over a network, for example load balancing cookies. Cookies which are strictly necessary in order to provide a service which has been explicitly requested by the user are also exempt from the information and consent requirements. As both these exemptions are narrowly drawn, it is necessary to consider the various cookies used on a site in some detail in order to determine if they fall within the exemptions.
Deputy Commissioner Gary Davis noted that the DPC has been disappointed with the level of compliance by Irish websites with the Regulations, which appears low compared to the UK. The Deputy Commissioner further stated that the DPC will be obliged to take enforcement action where websites fail to engage with it and meet their legal obligations.