Data Commissioner tells 80 Irish websites to explain approach to EU cookies law

Some 80 websites in Ireland – including major Government departments, like the Department of Health and the Department of Finance – have been written to by the Data Protection Commissioner to explain their approach to stringent EU regulations on the use of cookies.

Cookies are tiny pieces of software code that internet sites place on users’ computers to personalise the experience and target them with online advertising.

However, in order to respect users’ privacy, the EU introduced new cookie obligations on 1 July 2011. These included Directive 2009/136/EC and Directive 2006/24/EC.

Since that date, all websites must provide information and capture consent for dropping or accessing cookies or other information on a user’s computer equipment when a user visits their sites.

In an information gathering exercise the Data Protection Commission has written to 80 major websites in Ireland to evaluate their response to the new regulations.

These include Government departments, such as the Department of Agriculture, the Department of Arts and Heritage, the Department of Health, the Department of Finance, and the Department of Education. Laois County Council also failed to comply.

Media sites that were included in the list include BreakingNews.ie, Evening Herald, The Irish Examiner, The Irish Times, Journal.ie, 2FM, iRadio, Today FM, TV3 and Newstalk.

Popular internet properties included in the letter included Adverts.ie, Boards.ie, Daft.ie, DoneDeal.ie, Eflow, Entertainment.ie, Irish Jobs, Menupages, Monster.ie, Paddy Power, Ryanair, Ticketmaster and Pigsback.

Financial institutions included AIB, An Post, Bank of Ireland and Permanent TSB.

In a letter to the website owners, the Data Protection Commissioner asked the websites to demonstrate the action taken by their organisation to comply with the EU directives and if they can’t to explain why.

The letter also probed the use of analytics by website owners in Ireland. “It will assist the Data Protection Commissioner if you could also explain what you are doing to ensure users are aware of any third-party activity, such as analytics or advertising, taking place on your website, and what information you are providing to users about how to control that third-party activity via their browsers.”

Levels of compliance low compared to UK

In a statement this morning, Deputy Commissioner Gary Davis indicated: “This law does not break the internet as was suggested in some parts, it simply educates users to make informed choices. This is a legal requirement now for 18 months and we are disappointed with the response of websites. 

“Levels of compliance would appear to be very low compared to the UK, for instance, and we cannot allow that situation to continue.  As a first step, websites need to provide prominent and clear information to users as to what data they are collecting or allowing to be collected via cookies on their sites. 

“At a minimum this will begin to educate users as to the scale and type of data collection taking place and then better position users to take informed choices as to what cookies they wish to allow or block.”

The websites targeted have 21 days to outline their approach. 

Davis added: “We will be obliged to take enforcement action where websites fail to engage with us and meet their legal obligations.  However, we expect that this will not be necessary as compliance is straightforward for most websites.”

Full list of companies written to by Ireland’s Data Protection Commissioner regarding the EU cookies directive: