Cookies Directive

What you need to know about the EU Cookies Directive

Any website storing information on a users computing equipment (computer, phone or other) using a "cookie" must provide warn the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question AND is deleted at the end of the session.

In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must incorporate a means of obtaining user consent before allowing the user to proceed.  

Note: The directive was adopted in May 2011....!

What to do

Unless you are a techie you may not be aware if you comply or not. You will need to have a quick technical audit carried out to establish what cookies are being set for your site visitors. Where cookies set by your website do not expire at the end of session, (one example would be if you are you are using Google Analytics on your website) you will need to do one of two things to ensure compliance:-

(1) add some additional code to your website to remove any cookies set by your third party or your own applications when users leave or session over   (timeout=0) 
(2) add code (on page load) to inform the user when they arrive at your website for the first time that you use persistent cookies and get their consent before allowing them to proceed.

Wait and see

You could of course do nothing and adopt a "wait-and-see" approach. Like a lot of "minor" corporate compliance legislation, enforcement (of this cookie directive) will not I think be a priority for Government. Take for example the requirement for all websites, outgoing emails etc. to have full disclosure of corporate registration number, details of directors, registered address etc. listed; very few websites and outgoing email are in compliance (in Ireland).  Either owners and company directors are unaware in huge numbers or the apathy level is very high due to lack of any enforcement or will to do so. I think it is same to say that nothing will happen until the outcome of the first test case is known.


If you are about to get a website or mobile application (web app.) designed,  developed or refreshed make sure that provision for compliance is addressed such that you can enable it easily at a later date, or have it as design requirement from the start.

....... the appropriate section of the directive for reference

6. Storing and Accessing information on terminal equipment e.g. “Cookies”

Information – not just personal data -  may not be stored on or retrieved from a person’s terminal equipment (computer, smartphone, mobile phone or other equipment used by an individual to access electronic communications networks) unless the individual: (a) has been given clear and comprehensive information about why this is being done and (b) has given  her/his consent.  This Regulation covers the use of “cookies”(2)  by websites but can also cover other situations where information is placed on, or retrieved from, terminal equipment.  An example of this may be via an “app.”

Information that is necessary to facilitate the transmission of a communication, or information that is strictly necessary to provide an information society service explicitly requested by the user, is not subject to this requirement.  If a cookie is strictly necessary to facilitate a transaction requested by the user - for example, storage of items in a shopping cart on an online website - advance consent will not be required.  This will be the case where the cookie is stored only for as long as the “session” is live and will be deleted at the end of the session.  Information on such use should be readily available to the user of a website.

In all other cases, the requirement for clear and comprehensive information that is prominently displayed and easily accessible will apply, as well as the requirement for user consent.

The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be as user friendly as possible.  They envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings.  In order to meet the legal requirements, such settings would require, as a minimum, clear communication to the user as to what s/he was being asked to consent to and a means of giving or refusing consent to any information being stored or retrieved. It is particularly important that the requirements are met where so called “third party” or “tracking” cookies are involved – such as when advertising networks collect information about websites visited by users in order to better target advertising (“behavioural advertising”).   The Article 29 Working Party  in its Opinion 2/2010  has provided advice on how the requirements might be met.

The obligation to meet the requirements for providing comprehensive information to users and obtaining their consent for the placement of cookies rests with the service providers who place cookies on users' equipment.  The settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation.

No comments: