We should be paying more attention to website cookies

Lack of compliance laws on website Cookies are coming under fire from Europe’s data protection authorities, only five years after an amended EU directive governing their use came into force.

It is a delicate area which will pose challenges for companies and organisations, its also not well understood by those who impatiently dismiss pop-ups or fail to read website policies to see what information those sites may be accessing and collecting.

The low level of complaints to the Data Protection Commissioner here regarding the misuse of website cookies proves that it isn’t something which seems to worry Irish internet-users.

A representative from Europe’s Data Protection Authority has said “a key condition for individuals to be able to consent to the collection and processing of their personal data and exercise effective choice”

Solicitor and data protection expert Paul Lambert from Merrion Legal in Dublin says “it is important for organisations delivering a service to be able to track and try and build up databases, patterns and profiles in relation to individuals”.

“From an individual’s perspective, it’s increasingly important that a person’s activities and what they do electronically is their personal activity and their personal life and they do have legal rights in relation to that – one is privacy and one is data protection. Things like the backdrop to the Snowden revelations and all of the fallout from that really emphasise how important it is for users and individuals to apprise themselves [of the issues], but also for organisations to make sure they are legally compliant in terms of their data protection obligations.” he added.

Brian Honan an Information security consultant with BT Consulting has said a lot of people are not aware of how much information website cookies can capture and how they can be used to trace their activity on a website, or even across the internet in a browsing session.

“This information can be a gross infringement of their privacy and under EU law Irish website owners are obliged to notify visitors to their sites as to how they use cookies on their sites.”

According to Brian, his company has observed a number of Irish companies “a lack of awareness of these regulations and quite a few sites have no cookie notices at all. We need better awareness for consumers as to how to protect their privacy online and part of that education should be on cookies.”

Brian also added that most modern browsers can be configured to automatically delete cookies when the browser is closed which can remove a lot of unwanted tracking cookies.

He suggests third-party plug-ins such as ‘DoNotTrackMe’ and the ‘Collusion Extension’ for the Chrome browser are useful in protecting people from cookies and they can also highlight how they are being tracked online.

CNIL, France’s data protection body, will carry out a “cookie sweep” later on this month, examining the privacy issues around cookies. It plans to share the results with other data protection authorities in Europe.

In October, the authority will start auditing websites, checking to see what types of cookies and trackers are set – this will include flash cookies, HTTP cookies and fingerprinting.

Crucially, it will also examine the purposes for which cookies are used, whether site operators are aware of all the cookies being set, and whether there are cookies that require the consent of those using the site.