Webmentor's How To Guides

Webmentor's How To Guides are written in plain english so that ordinary business folk can understand important stuff about their websites.

Your consent to the use of Cookies

Your consent to the use of cookies on this site is determined by your current browser settings. Learn about the cookies we use here.

Webmentor's Webhosting Tables

Compare Irish Web Hosts in an easy to read table. Vote and leave a comment, or read what others have to say. Take me to the Webhosting Tables.

How to Construct a Website Privacy Statement

In Ireland 2012 you must provide a Privacy Statement on your website. The contents of the Privacy Statement are based on 2 sets of regulations:

What are the laws about?

The Data Protection Acts 1988 and 2003

This law is about gaining consent for the collection and use of an individual's Personal Data. Your website's Privacy Statement must satisfy the principle that you collect and use Personal Data fairly.

ePrivacy Regulations 2011

This law is about gaining consent for the use of any technology that stores information on the end user's equipment. And that is what a Cookie does. Your website's Privacy Statement must clearly document the use and purpose of cookies on your website.

What needs to be in the Privacy Statement?

There is a good FAQ on the Data Protection Commissioner's website. I'll summarise here what the Data Protection Commissioner describes as the minimum requirement for compliance with the laws.

  1. Identity (Read more)

    You must identify yourself so that an individual can address his/her queries to you in relation to their statutory rights of access, rectification and erasure of personal data. To this extent, you should provide your (company) name, email address and a mailing address to comply with the requirement

  1. Purpose (Read more)

    Under the law you must explain the purpose of obtaining personal data in order to satisfy the "fairly obtained" requirement. Your Privacy Statement needs to explain clearly to the individual what personal data is collected, how you obtain it, and what it is used for. You must go into details here; a vague/generic statement is no longer acceptable

  1. Disclosure (Read more)

    You must disclose if Personal Data obtained is shared with Third Parties. This is generally for the purpose of indirect marketing. Data shared with agents working for you (such as your webhost) are excluded from this provision, as are disclosures which are required by law 

  1. Right of Access (Read more)

    An individual has the legal right to find out if you have obtained their Personal Data. They may also request a copy of the data. You are obliged to comply with a request within 40 days. If a copy of the data is requested, you can charge no more than €6.35 for doing so. You should describe how the request should be made (eg email or letter) and if you require any substantiating documentation

  1. Right of Rectification or erasure (Read more)

    An individual has the right to have any errors rectified. They also have the right to have their personal data erased if you have no legitimate reason to be in possession of it. You must comply, for free, with any such request. You have 40 days to do so. Again, you should describe how an individual should go about making the request - eg in writing/email  and if you require any substantiating documentation

  1. Extent of data being processed (Read more)

    You must disclose the full extent and purpose of data collection on your website - both personal data, data that is covertly collected (eg IP address) and data that is stored on an end user's equipment for whatever reason (cookies, web beacons etc)

  1. Cookies (Read more)

    The law states that you must gain consent for using cookies. That is because cookies involve placing information on an end-user's equipment. The gaining of consent is directed to be "user friendly", and where possible deduced from "the current browser settings". The real concern of the legislators is with tracking cookies used by advertisers and social networks (the ones we as website owners don't control!). Cookies that are "strictly necessary" to comply with a user's request for a service are omitted from the regulations - eg shopping carts. None of this is very clear, read more below.

The Data Protection Commissioner's website has more information

Be sure to read the article on the Data Protection Commissioner's website to get comprehensive information about website Privacy Statements

What to say about the Cookies?

The truth is, right now, I'm not sure. I looked at the Data Protection Commissioner's own privacy statement for guidance. Here's what I found:

  • dataprotection.ie uses cookies
  • dataprotection.ie does not use any prominent/intrusive notices to gain consent for the use of cookies
  • Cookie use is detailed in their Privacy Statement, under the heading "Collection and use of technical information", where they name the cookies and describe their purpose (See the wording)

    This website uses what is called a session cookie. This cookie (USERLANG) is used while you are on our website to record the language version of the site you are looking at. There are only 2 settings for this cookie, USERLANG = EN or USERLANG = GA. This is done solely to ensure that you are presented with the correct language version of any page you request.

    This cookie is only stored in your browser memory while you are visiting our website. It automatically deletes itself after 20 minutes of inactivity on our site or immediately on closing your browser and there is no record of the cookie stored on your computer.

  • dataprotection.ie has ceased using Google Analytics since March 2011 (a popular free tracking service for collecting non personal visitor data which involves the use of cookies)

google analytics not used by data protection commissioner website since march 2011Img 1. Google Analytics not used on Data Protection Commissioners site since March 2011

Discussion

Have you ever read that the web is "a stateless protocol"? It's an important statement. It means that without using technologies like cookies we have no way of "remembering" things from one webpage to another.

The vast majority of cookies used on websites are for "remembering" things like - is the visitor logged in to a membership area? If so, we can show them a members only webpage. The cookies used for this type of functionality are called "session cookies", only used for the duration of the "session" (visit) and destroyed when the visit to our website is over.

But sometimes we need to set cookies that "persist" - like when you visit a site and choose your geographic location as Ireland. Next time you visit, you are auto-magically sent to the Irish site. That "remembering" is achieved by a persistent cookie that is not destroyed when the visit is over. It may be programmed to persist for weeks, or even months.

The legislators are specifically concerned about persistent cookies that track user behaviour. You may not even be aware that they're being used on your website when you employ third party advertising, analysis, social media functionality or visitor location targetting. It's not deliberate on your part - the company (Google, Yahoo, Bing, Facebook, Twitter, LinkedIn, YouTube etc etc) gives you some code to copy/paste into your website, and bingo, you've got the functionality you wanted. The legislators are well aware of the problem, and they know who they're really after. But in the meanwhile, the responsibility for these cookies is all yours...

Summary

There is insufficient guidance from the Irish regulations and our own Data Protection Commissioner on the matter of cookies.

The stand out phrases in the current legislation are consent for use of cookies, user friendly and current browser settings. So here's what I'm going to do about the cookies:

  1. Audit all the cookies in use on my site (using this Cookie Audit tool
  2. List them out, describe the function of each
  3. Put it all into the Privacy Statement under a heading called "Cookies"
  4. Explain to visitors that their current browser settings imply consent for the use of cookies on my site
  5. Just to be sure (since I use third party cut/paste code for analytics, youtube etc) - put a notice on every page about the implied consent for the use of cookies with a link to the cookie section in the Privacy Statement

I hope I'm on the right track here, but all I've got is my own interpretation of the spirit of the law which is to inform visitors about what personal data we collect and process, and the technologies we make use of, like cookies, that they don't know about (and mostly we don't either).

Get to know and love your cookies

If you use a Content Management System (CMS) like Drupal, Wordpress, Joomla, etc there are going to be dozens of cookies in use that you didn't even know about. They're all there to help your website to function properly.

Comments are now closed for this entry