Privacy & Cybersecurity Law Blog

On December 19, 2012, the Irish Data Protection Commissioner (“DPC”) wrote to 80 website operators requesting details regarding how they are complying with recent changes to Irish law governing the use of cookies and other similar technologies (SI 336/ 2011, the “Regulations”). The letter expects website operators, which include government departments as well as companies, to comply fully with the Regulations, which took effect 18 months ago and require user consent before deploying or accessing cookies or other information stored on users’ computer equipment. If the relevant organizations have not yet achieved compliance, they are expected to provide an explanation to the DPC explaining “why it has not been possible to comply by now, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.”

In its press release, the DPC commented on the poor levels of compliance with the Regulations to date. Deputy Data Protection Commissioner Gary Davis stated, “[t]his is a legal requirement now for 18 months and we are disappointed with the response of websites. Levels of compliance would appear to be very low compared to the UK for instance and we cannot allow that situation to continue.” The DPC has given the 80 organizations 21 days to respond and has warned that “we will be obliged to take enforcement action where websites fail to engage with us and meet their legal obligations,” though it does not expect enforcement action to be required as “compliance is straightforward for most websites.”