Over a month late the Irish Government has brought into law the EU Cookie Directive, which requires websites to obtain express permission from each user when setting a cookie on their computer.
Late on Friday the country’s Data Protection Commission issued guidance, having itself received advice from the Attorney General, about the legislation. The Commission says that website owners and app developers must “identify a means of obtaining user consent” for any cookie that does not expire after the user leaves the website. The Commission said,
“Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.”
One of the biggest victims of this law will be Google Analytics, or at least all websites that use the application. As Google’s ubiquitous tracking system sets cookies on users’ machines which don’t expire for two years the law in Ireland makes any use of Google Analytics without first getting users’ permission illegal.
The enforceability of the law is questionable; most website owners will not know what type of cookies their sites or apps are setting on users’ machines or how to obtain user permission.
Discussing the concern and confusion many website owners are feeling Leo Moore, a partner with William Fry Solicitors (@WFIDEA) who specialises in intellectual property, information technology, data protection, and commercial law, wrote on Friday,
“Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.”
According to the Google Analytics forum there are ways of editing the tracking code to make it comply with various cookie laws around the world. It says one possible way of making Google Analytics compatible with such laws is by adding these lines of code above “_gaq.push([‘_trackPageview’]);” in each page’s Google Analytics code.
According to the forum this should delete the tracking cookie when the session is closed by the user. Although, we’re not lawyers, and this law has not been tested in Irish courts yet, so get professional advice to see if this does comply with the law.