E-commerce
Categories: E-commerce
The act of creating and publishing a website can involve a host of technical issues which are addressed in this LawOnline guide. Once these have been overcome, the legal requirements affecting the running of a commercial website are no less complex. There are many different Irish and EU laws covering website design, domain name choice, website content, sales from websites, data privacy, customer rights and many other aspects of e-commerce and online activity.
RUNNING A WEBSITE
Overview
The act of creating and publishing a website can involve a host of technical issues. Once these have been overcome, the legal requirements affecting the running of a commercial website are no less complex.
There are many different Irish and EU laws covering website design, domain name choice, website content, sales from websites, and many other aspects of e-commerce and online activity.
Terms and conditions
The terms and conditions upon which a website offers goods or services for sale need to be compliant with consumer protection laws. These cover more than just terms of sale but also affect, for example, how the goods or service are marketed or advertised, the means of access of consumers to the offers made and the rights of consumers before and after a sale is concluded.
Privacy
Another important issue is how a website collates, stores and processes personal information about its customers, or its users. Operators of commercial websites need to understand and be able to apply the principles of data protection law.
Domain names
Those launching a commercial website will need to choose a domain name carefully. In particular, they should ensure that the chosen domain name is available, does not infringe another person’s or entity’s trade mark rights and is not confusing or obviously associated with someone else’s business.
Back to topSITE TERMS AND CONDITIONS
Overview
Your business should set out any applicable standard terms and conditions of supply on your site and make sure these are incorporated in customer contracts. This link should be clearly signposted so that customers can locate them easily. It is also advisable to have an intermediary step in every sale where the customer will confirm that they have read your terms and conditions of supply and your privacy policy. For more information, see the ‘Privacy policy’ section.
If you are running a business which trades over the Internet, it is important that you have terms and conditions which comply with the requirements as set out in the Consumer Information Regulations and the E-commerce Regulations, in addition to any obligations you have under The Sale of Goods and Supply of Services Act 1980. These regulations are summarised below.
For more details, see the ‘ Consumer information Regulations’ and ‘E-commerce Regulations’ sections.
Distance selling
The Consumer Information Regulations provide that you must:
- give customers specified information before they order
- send them an order confirmation
- give them the chance to cancel the contract for up to 14working days after the goods are delivered
The Consumer Information Regulations require you to set out:
- The trader’s name and address as well as the address to which to address complaints
- The main characteristics of the goods or service
- The price of the goods - including all taxes
- Delivery costs, where applicable
- Arrangements for payment
- The trader’s complaints handling policy
- Whether a right to cancel exists and the conditions, time limit and procedures for doing so
- Whether you will bear the costs of returning the goods
- The estimated cost of returning the goods if you have to bear the cost and they cannot be returned by normal post
- Conditions of after-sale customer assistance and services, and commercial guarantees
- The duration of the contract, if applicable, and the conditions for terminating it if it is extended automatically or is of unlimited duration
- The minimum duration of your obligations under the contract, if applicable
- The cost of communication between you and the trader, if it is above a basic rate
E-commerce
The E-commerce Regulations require you to set out:
- steps your customers must follow to conclude an agreement with you to buy something
- confirmation of whether a copy of the contract will be filed and whether the customer can access it
- a description of how the customer can identify and correct errors before continuing an order
- details of any industry codes of practice which you subscribe to
Most of these requirements should be met in your terms and conditions and your website should be designed to support these processes. However, certain specific details relating to individual products, such as delivery dates and prices, must be separately provided by you. You must also specify if you want to offer substitute goods if those ordered are not available. If you do, you must meet the costs if any replacement goods are returned. You must provide this information before the order is placed.
If customers wish to exercise their cancellation rights, you must reimburse them as soon as possible and, in any case, within 30 days.
It is also important to note that the consumer has a period of seven working days in which to cancel the distance contract without giving a reason and the only cost payable by the consumer is the direct cost of returning the goods.
See the ‘E-commerce Regulations’ section for more information.
Back to topE-COMMERCE REGULATIONS
Whenever you sell goods or services, there are various consumer laws with which you must comply. These are described below.
The following legislation applies to all contracts with consumers whether or not they are made online:
The Sale of Goods and Supply Services Act 1980
The Sale of Goods and Supply of Services Act 1980 (as amended) requires a supplier of services acting in the course of a business in the Republic of Ireland to provide the service:
- using reasonable care and skill
- within a reasonable time (unless the price is determined by the contract, left to be determined in a manner agreed by the contract or determined by the course of dealing between the parties)
- at a reasonable cost
These terms will be implied in all agreements with consumers but can be excluded subject to compliance with legislation regarding the use of unfair contract terms.
The Sale of Goods Act
The Sale of Goods Act 1893 (as amended) imposes three requirements on traders which cannot be excluded in contracts with consumers:
- You must make sure the supplied goods are as you describe them; for example, a television must be the exact model that you say it is.
- The goods must also be of satisfactory quality. To be of satisfactory quality, goods must normally:
- do what they are supposed to do
- be safe
- comply with any public statements made about the characteristics of goods (especially in advertising or on labelling)
- be free from defects, including minor ones
- function properly for a reasonable period of time
- have a reasonably satisfactory finish and appearance
You should also ensure that the goods are ‘fit for their purpose’.
If a customer makes it known to you that they intend to use the goods for a particular purpose, it is implied by law that the goods supplied are reasonably fit for that purpose. For example, if you are told by a customer that they wish to use a jacket for hill-walking in rainy weather, the jacket should be waterproof. The first two conditions must normally be met whatever price the goods are sold at.
However, the standard of the remaining conditions depends on factors like the price of the products or whether they are new. For example, if the products are second hand, it may be reasonable for the goods to last only a short time or have some defects, such as signs of wear and tear. If they are brand new, however, this will not be acceptable at all unless the defects have been pointed out to the buyer - who will normally expect a reduction in price to reflect this.
Examples
Here are some examples - but it is important to remember that each case is different:
- A new Range Rover which is drivable but has a variety of minor problems with its engine and bodywork is not of satisfactory quality - especially in view of its luxury price tag.
- A second hand car which has a defective clutch and breaks down shortly afterwards would be of satisfactory quality if the seller had pointed out the defect and the price took account of it.
Remedies available to a consumer
If the consumer goods or services that you sell do not conform to the implied terms contained in the Sale of Goods Act or the Sale of Goods and Supply of Services Act a customer may seek redress by:
Rejecting the contract and seeking a refund.
This must be done within a ‘reasonable time’. What constitutes a reasonable time will vary from case to case and, in the case of the sale of goods, will include whether the customer has had a reasonable opportunity to examine them. A customer cannot reject the contract if the goods have been ‘accepted’, such as if the goods have been held by the customer for over a reasonable period of time.
This does not apply to customers who have been supplied with goods that are faulty or are not as described and they will be entitled to a refund. In such cases a customer does not have to accept a replacement or credit note as an alternative.
Seeking damages
Compensation may be claimed if the implied terms are breached. This could include the cost of obtaining replacement goods or services, damage caused by faulty goods or the cost of repairs. If goods have been accepted then the customer can only claim damages.
Requesting the goods be repaired or replaced
If a customer elects for the goods to be repaired, they will not lose their right to reject the goods or require a refund if the goods are not repaired to their satisfaction. You must undertake the repair or supply a replacement within a reasonable time. If this cannot be done, or if it is likely to cause the customer too much inconvenience, you must inform the customer and they can choose another remedy.
You have the right to refuse a request to repair if the cost will be disproportionately higher than the cost of replacing the goods (and vice versa).
Requesting a refund
If the goods do not conform to the terms of the contract, a customer may request a full or partial refund. You are entitled to see evidence of proof of purchase.
Note that a customer’s legal rights are the same whether or not they are buying online and if they are buying sale items or items at their full price.
If the goods have any defects or faults (or, in the case of the provision of services, there are any limitations to the service provided) then these should be brought to the customer’s attention prior to purchase.
You cannot be held responsible for:
- fair wear and tear
- misuse or accidental damage by the consumer
- where the customer has tried their own repair or had someone else attempt a repair, and this has damaged the goods
- incorrect public statements about the characteristics of goods (such as in advertising or on labelling) which you were not aware of for good reason or had been corrected in public before the conclusion of the sale or the decision to buy was not influenced by the statement
Time limits for bringing claims
The time limit to bring a claim to court is six years. The period runs from when the breach of contract occurred, which, in practice, is taken to be the date on which the goods were provided or the services performed. However, this time limit does not mean that goods have to last for this length of time.
Obligation to minimise loss
The customer has a duty under contract law to take reasonable steps to minimise their loss. This means that they should act reasonably when seeking redress and should not add unnecessary costs. Consequently, they should:
Report faults as soon as possible, to make it easier for them to show that the goods were inherently faulty at the point of sale, and to prevent the goods from deteriorating further.
Service goods as appropriate, follow the user instructions and look after them, so that they do not contribute to any existing or inherent fault.
Data Protection
The General Data Protection Regulation (GDPR) Directive (EU) 2016/680, supplemented by the Data Protection Acts 1988 and 2003, govern the processing of personal information. Most importantly, you should minimise the amount of personal data you request, store and process and only do so when either the website user has consented to that processing or it’s necessary for one of several specified reasons. In addition, you should always provide a specific privacy notice - it is not good practice to include your privacy notice within these terms and conditions.
You can find out more on the Data Protection Commission website.
Back to topDOMAIN NAMES
Overview
A domain name is a registered right which entitles the holder to use a combination of letters and numbers (the domain name) to point to its web server. In other words, when you enter the domain name into a browser, you will be directed to the domain name owner’s website or the website of someone who has a licence from the domain name owner. In practice, it can be bought and sold, like a piece of property.
Currently in the Republic of Ireland there are no formal requirements for domain name sales or transfers to be evidenced in writing, although the domain name registrar will have their own transfer process which must be followed. Nevertheless, it is sensible to have a written agreement so that appropriate warranties and assurances are given.
The transferor of a domain name will be registered as the owner with the registrar of the top level domain. (IEDR is the registry for internet domain names ending in .i.e.) For basic public information on the domain name system, how it works and how to obtain global top level domains (gtld’s) such as “.com”, “.org” etc. see The Internic website.
Registration and re-registration
Since domain names are subject to registration, their transfer takes effect by re-registering in the name of the transferee.
Fees for transfer
Domain name registries require fees to be paid when registrations are transferred.
Back to topPRIVACY POLICY
Introduction
If your business has a website, you will probably use to it collect and store information from people who visit it, either by asking for it directly or by putting a cookie on their web browser.
Under the EU General Data Protection Regulation (GDPR) Directive (EU) 2016/680, and supplemented by the Data Protection Acts 1988 and 2003, you need to tell people about the information you hold, including how you will use it and for what purpose. You also need to tell them about their privacy rights and how the law protects them. You can a privacy notice to do this (it is sometimes also known as a privacy policy or privacy statement). See LawOnline’s ‘Privacy and cookie policy for a website’ (EC003).
If your website does not have anywhere for users to enter information and does not use cookies then you do not need a privacy notice.
You should also use our ‘Terms of use for a website’ (EC005), which govern use of your website generally. If you make sales (i.e. take payments) via your website, you may also need our ‘Terms and conditions for selling consumer goods or services on a website’ (EC004).
What you need to do
Assess what personal information you request and process: this will enable you to prepare this privacy notice and add it to your website.
However, the purpose of a privacy notice is to bring this information to people’s attention in the most accessible format possible. This includes doing so at the appropriate time such as including a link to the notice on every page of your website. It would also be helpful for a link to this notice, with a short explanation, to pop up before any information is provided by users of the website (in the UK, for example, these are referred to as ‘just-in-time’ notices).
This document will create up to four of these just-in-time notices for different situations, depending on your circumstances. Their contents will change depending on your answers, but you may need to tailor them further to the specific situation.
As we explain below, to process someone’s data you need one of several legal justifications. That they have consented is one such justification. If that is your justification, you will also need to provide a mechanism for website users to consent to your processing of their data in the manner intended.
The data protection principles
Irrespective of your privacy notices, when you hold or are considering asking for personal data, you must follow the data protection principles outlined below.
All employees should be notified of these data protection principles because they will be processing data on behalf of the business.
The GDPR outlines six data protection principles that are central to data protection law. You will have to comply with these principles at all times in your personal data-handling practices. In brief:
- Personal data must be processed lawfully, fairly and transparently. That means you must provide certain information to the person whose data you want to capture. The purpose of this privacy notice is to provide this information. It also means you may only process the information if you have a ‘lawful basis’ (i.e. a legal justification) for doing so. These justifications are:
- The person consented to the specific processing (you should only use this justification if you can’t rely on any of the others).
- The processing is necessary to carry out a contract with the person.
- The processing is necessary to comply with a legal obligation.
- The processing is necessary in order to protect the person’s ‘vital interests’, or those of another person. ‘Vital interests’ generally means life or death situations, e.g. a person’s medical history is disclosed to a hospital’s A&E department after a serious accident. You should only consider this justification after considering the others.
- The processing is necessary for a task carried out in the public interest or in certain official capacities.
- The processing is necessary for a legitimate interest pursued by you or by a third party, except where the processing would have a disproportionate adverse effect on the person’s rights and legitimate interests. If you rely on a legitimate interest you should also conducted a legitimate interest assessment. That means that you’ve shown than the processing is necessary for the legitimate interest and balanced it against the individual’s interests, rights and freedoms.
- Personal data must be obtained only for one or more specified and lawful purposes and not processed in a manner incompatible with those purposes.
- Personal data collected shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.
- Personal data shall be accurate and kept up-to-date.
- Personal data shall not be kept for longer than is necessary.
- The data controller is responsible for, and must be able to demonstrate compliance with, the other data protection principles.
Sensitive information
The GDPR also outlines eight special categories of data relating to a person’s:
- political opinions
- racial or ethnic origin
- religious or philosophical beliefs
- trade union membership
- biometric data
- genetic data
- • health
- • sex life or sexual orientation
In order to process these categories of data - along with data relating to criminal convictions, offences and related security matters - you have to meet at least one of the following extra conditions:
- The processing is with the person’s explicit consent.
- The processing is in connection with employment, for the purposes of performing any legal right or obligation that you have.
- The processing is necessary in order to protect the person’s interests of those of another person, where you can’t get consent or you are not reasonably expected to get it. Another option would be where the person has unreasonably withheld their consent but the processing is necessary to protect the interests of another person.
- The processing is:
- carried out for legitimate interests of a non-profit organisation, that exists for political, philosophical, religious or trade union purposes;
- carried out with appropriate safeguards for the person’s rights and freedoms;
- relates only to individuals who either are members of the non-profit organisation or have regular contact with it; and
- does not involve disclosure of the personal data to a third party without the person’s consent.
- The person has already deliberately taken steps to make the personal data public.
- The processing is necessary for the purpose of or in connection with legal proceedings, getting legal advice etc.
- The processing is necessary for reasons of substantial public interest, but with many other restrictions.
- The processing is necessary for medical purposes.
- The processing is necessary for the protection of public health.
- The processing is necessary for archiving purposes in the public interest.
In addition, some of these justifications involve further safeguards. For example, information about employment, health and social care, public health or archiving, search and statistics requires that you have an appropriate policy in place. Health and social care or public health information must be undertaken under the responsibility of someone under an obligation of professional secrecy.
If the data relates to criminal convictions, offences or related security matters, you must not process the information except under the control of official authority or when authorised by law and under appropriate safeguards. In the context of a website, it will only be authorised by law if it relates to health or social care or public health, and the above conditions also apply.
Anonymise v pseudonymise
What if you remove the parts of the data from your website that make it possible to identify individuals? The GDPR uses two terms for this: ‘anonymise’ and ‘pseudonymise’.
Anonymisation means that the parts of the information that identify individuals have been irretrievably removed. That means the information does not identity individuals therefore it would not be covered by the GDPR. This also applies to information from cookies. Note, however:
- The EU’s data protection advisors body has stressed that the standard for anonymising is high, so you will need specialist advice to ensure that the removal qualifies as anonymisation under the GDPR;
- The act of anonymising itself is a type of processing, therefore unless the information is anonymised before you receive it, you will be processing personal data and it’ll fall under the GDPR.
Pseudonymisation means to remove the parts of the information that make it possible to identify someone, but in such a way that either you or someone else could re-identify the data with reasonable effort. This data remains covered by the GDPR.
Given that you still have to list this data in a privacy notice, you may be wondering whether there is any gain in removing identifying data this way. However, it is advantageous as it makes the data more secure - if someone gets access to your data, if it is pseudonymised it will be more difficult for them to abuse. Individuals concerned are likely to look highly upon that.
Rights of those using your website
Subject access requests
Users of your website have a right to ask whether you, or someone on your behalf, are processing any personal data about them and, if so, to be given:
- A description of the personal data
- Information regarding the purposes for which the personal data is being processed
- The disclosees, or potential disclosees, of the personal data
- A copy of information in an intelligible form containing such personal data and any information that you have access to, identifying the source of that personal data
- Where you or someone on your behalf has processed such personal data by automatic means for the purpose of evaluating matters relating to such user e.g. credit worthiness, and such processing is likely to form the sole basis for any decision significantly affecting the user, you must inform such user of the logic involved in that decision making.
Other rights
Those users whose information you hold also have the following rights:
- To ensure that you correct or complete information relating to them if appropriate, or to complain to the Data Protection Commissioner if you do not;
- To request that their personal information that you hold is deleted if you relied on their consent in holding that information, or if it is no longer necessary;
- To restrict or object to the processing of their information in certain circumstances;
- The right to portability - in brief, to request a copy of the data or request that the data is sent to another controller;
- To be told of a likely breach of their data protection rights.
Back to top
COOKIES
What is a cookie?
Cookies are text files containing small amounts of information which are downloaded to a user’s device when they visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.
Cookies do lots of different jobs, like letting users navigate between pages efficiently, remembering their preferences, and generally improving the user experience. They can also help to ensure that adverts users see online are more relevant to them and their interests. You can find more information about cookies at http://www.allaboutcookies.org and https://www.youronlinechoices.eu/
The General Data Protection Regulations (GDPR) specifically addresses cookies in this way:
Natural persons may be associated with online identifiers such as internet protocol addresses, cookie identifiers or other identifiers. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Some cookies will escape that broad definition, however most will be covered by it.
However, there is another, older European directive that is more specific to cookies - the ePrivacy Directive. This is currently being updated, but the updated version is not yet finalised. Therefore, in relation to cookies, you must abide by some parts of the GDPR and some parts of the ePrivacy Directive.
In brief:
- In accordance with the GDPR, if the cookie can be used to identify or build a profile of someone, data protection law applies. For brevity, we’ll refer to that as an identifying cookie.
- For identifying cookies, you must give a privacy notice.
- However, the older directive says whether consent is necessary. In brief, it is necessary unless the cookie is essential for a service requested from you by the website user. For example, if you sell on your website you probably provide shopping baskets, for which cookies might be necessary - without the cookies, the basket would not remember what goods the user wishes to buy. On the other hand, if the cookie is used to tailor the products offered to the customer’s past preferences, that isn’t essential and so consent would be required.
- If consent is required, the GDPR governs the requirements of the consent.
The law applies also to similar technologies for storing or retrieving information such as local shared objects (often referred to as ‘flash cookies’), web beacons or web bugs (including transparent or clear gifs).
For this reason, this privacy notice explains what identifying cookies are used, and provides you with a just-in-time notice to be presented to the website user before any cookies are set on the user’s browser.
Types of cookies
First-party v third-party cookies
Whether a cookie is ‘first’ or ‘third’ party refers to the domain placing the cookie. First-party cookies are those set by a website that is being visited by the user at the time - the website displayed in the URL window. Third-party cookies are cookies that are set by a domain other than that of the website being visited by the user. If a user visits a website and another entity sets a cookie through that website, this would be a third-party cookie.
Session v persistent cookies
Persistent cookies remain on a user’s device for the period of time specified in the cookie. They are activated each time the user visits the website that created that particular cookie.
Session cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.
Categories of cookies
The International Chamber of Commerce (ICC) defines four categories of cookies:
Category 1: strictly necessary cookies
These cookies are essential in order to enable users to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services users have asked for, like shopping baskets or e-billing, cannot be provided.
User consent is not required for the delivery of those cookies that are strictly necessary to provide services requested by the user. However, it is important to give users the opportunity to understand these cookies and the reasons for their use.
Generally these cookies will be first-party session cookies. It is possible for third-party or persistent cookies to be essential, but it will be rare.
Not all first-party session cookies, however, will fall into the ‘strictly necessary’ category and the use of the cookie must be related to a service provided that has been explicitly requested by the user.
Strictly necessary cookies will generally be used to store a unique identifier to manage and identify the user as unique to other users currently viewing the website, in order to provide a consistent and accurate service to the user.
Examples include:
• remembering previous actions (e.g. entered text) when navigating back to a page in the same session
• managing and passing security tokens to different services within a website to identify the visitor’s status (e.g. logged in or not)
• to maintain tokens for the implementation of secure areas of the website
• to route customers to specific versions/applications of a service, such as might be used during a technical migration
These cookies will not be used:
• to gather information that could be used for marketing to the user; or
• to remember customer preferences or user ID’s outside a single session (unless the user has requested this function).
Category 2: performance cookies
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages they are only used to improve how a website works. These cookies might be anonymised, in which case the GDPR will not apply. However, it is more likely that the anonymisation will not be thorough enough so you should assume that the GDPR does apply.
Web analytics that use cookies to gather data to enhance the performance of a website fall into this category. For example, they may be used for testing designs and ensuring a consistent look and feel is maintained for the user. They may also be used to track the effectiveness of ‘pay-per-click’ and affiliate advertising, but where the same cookies are used for re-targeting they must be included in ‘Category 4: targeting cookies or advertising cookies’ as well. An affiliate is a website operator who can send traffic to a website using links from another website. The affiliate is paid an agreed commission from the referral.
This category does not include cookies used for behavioural/targeted advertising networks.
These cookies can be first or third party, session or persistent cookies. To fall within this category their usage should be limited to performance and website improvement.
Examples include:
- Web analytics: where the data collected is limited to the website operator’s use only, for managing the performance and design of the site. These cookies can be third-party cookies but the information must be for the exclusive use of the publisher of the website visited.
- Ad response rates: where the data is used exclusively for calculating response rates (click-through rates) to improve the effectiveness of advertising purchased on a site external to the destination website. If the same cookie is used to re-target adverts on a third-party site this would fall outside the performance category (see: Category 4: targeting cookies or advertising cookies).
- Affiliate tracking: where the cookie is used to let affiliates know that a visitor to a site visited a partner site some time later and if that visit resulted in the use or purchase of a product or service, including details of the product and service purchased. Affiliate tracking cookies allow the affiliate to improve the effectiveness of their site. If the same cookie is used to re-target adverts this would fall outside the performance category.
- Error management: measuring errors presented on a website, typically this will be to support service improvement or complaint management and will generally be closely linked with web analytics.
- Testing designs: testing variations of design, typically using A/B or multivariate testing, to ensure a consistent look and feel is maintained for the user of the site in the current and subsequent sessions.
Category 3: functionality cookies
These cookies allow the website to remember choices users make (such as their user name, language or the region they are in) and provide enhanced, more personal features. For instance, a website may be able to provide local weather reports or traffic news by storing in a cookie the region in which the user is currently located.
These cookies can also be used to remember changes users have made to text size, fonts and other parts of web pages that they can customise. They may also be used to provide services users have asked for such as watching a video or commenting on a blog.
Where these cookies are also used for behavioural/targeted advertising networks they must be included in ‘Category 4: targeting cookies or advertising cookies’ as well as this category.
These cookies can be first-party, third-party, session or persistent cookies. These cookies will typically be the result of a user action, but might also be implemented in the delivery of a service not explicitly requested but offered to the user. They can also be used to prevent the user being offered a service again that had previously been offered to that user and rejected.
Examples include:
- Remembering settings a user has applied to a website such as layout, font size, preferences, colours etc.
- Remembering a choice such as not to be asked again to fill in a questionnaire
- Detecting if a service has already been offered, such as offering a tutorial on future visits to the website
- Providing information to allow an optional service to function such as offering a live chat session
- Fulfilling a request by the user such as submitting a comment
Category 4: targeting cookies or advertising cookies
These cookies are used to deliver adverts more relevant to users and their interests. They are also used to limit the number of times users see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that a user has visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
There are practical hurdles when it comes to providing privacy notices and obtaining consent for third-party cookies. The most important thing is that adequate notice is given and consent obtained. In practice, operators of consumer-facing websites may be best positioned to obtain consent. Where third-party cookies are set through a website, both the third party and the website operator will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.
These cookies will always be persistent but time-limited cookies. These cookies contain a unique key that is able to distinguish individual users’ browsing habits or store a code that can be translated into a set of browsing habits or preferences using information stored elsewhere.
Examples include:
- Cookies placed by advertising networks to collect browsing habits in order to target relevant adverts to the user. The site the user is visiting need not actually be serving adverts, but often this will also be the case.
- Cookies placed by advertising networks in conjunction with a service implemented by the website to increase functionality, such as commenting on a blog, adding a site to the user’s social network, providing maps or counters of visitors to a site.
Cookies that fit into multiple categories
It is up to website operators to appropriately place cookies in the correct category based on what function those cookies have and their use. However, there may be cookies that fit into all/several of the categories in the guide as a result. For instance where a cookie can be used to change website functionality, and is also used for delivering online behavioural advertising, the cookie must be placed into both category 3 and category 4 and consent must be sought in relation to both categories/uses.
Giving information and getting consent
The ICC has published guidance on the different approaches that might be taken on these issues depending upon the types of cookies used. This guidance (which can be found at https://www.cookielaw.org/media/1096/icc_uk_cookiesguide_revnov.pdf - link opens a PDF) should be referred to for more detailed information.
Methods of getting consent may include:
- accepting website terms and conditions;
- settings-led consent: getting consent as users select website settings;
- feature-led consent: getting consent as users register for or ‘switch on’ website features;
- function-led consent: getting consent as a result of users initiating or activating website functions; or
- notice and choice mechanisms, such as sensitively deployed pop ups or header bars.
There is much disagreement, and possibly confusion, within the industry and among commentators about what is valid consent for obtaining cookies.
The safest way of correctly getting consent for cookies is by explaining your use of them and giving a specific option on your website. For example, before setting any cookies, your website could display a notice listing the cookies it uses, explaining what they are for, and asking the user which cookies are accepted. This privacy notice includes a table listing your cookies in that way, so that users can make a specific and informed decision about which cookies to accept.
In the past website operators generally provided a brief notice saying they use cookies and that continuing to use the website indicates acceptance of cookies. This relies on the idea that, if they did not want to accept all cookies, users could change their browser’s settings - for example to not accept any cookies or to not accept third-party cookies.
It is debatable whether that ever really sufficed even under the previous law. For the GDPR, the problems include:
- many users do not use their browser settings in a proactive manner, making it potentially difficult to argue that continuing to use the website without changing browser settings equals valid consent;
- consent should be specific to the specific processing - changing browser settings will change your acceptance of all cookies of that type; but you might want your favourite cycling shop to know which cycling jerseys you regularly consider buying, but there may be other advertisers who you do not want to know anything at all about you.
It is not entirely clear if current browsers offer adequate consent options but consenting via browser settings could suffice. In the absence of a clear position on this matter we have given the option, in this policy, of using browser settings this way. That is because even previously it may not have been lawful but such a practice developed. We are not sure how practice will evolve under the GDPR. However, we would suggest you choose the first option.
Back to topDATA PROTECTION OFFICER
Data protection officer
Under the GDPR, you must appoint a Data Protection Officer (DPO) if:
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Currently it is unclear what large scale means because it is not defined by the GDPR. However, the following should be considered:
- the number of individuals concerned;
- the volume of data or range of items being processed;
- the duration or permanence of processing activity;
- the geographical extent of processing activity.
In many cases, it is unlikely that small organisations will be processing on a large scale. The European Commission gives guidance and some examples in question 3 of http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf
You can appoint a DPO if you wish, even if you are not required to. If you decide to voluntarily appoint a DPO you should be aware that they will have the same responsibilities as if the appointment had been compulsory.
A DPO can play a key role in your organisation’s data protection governance structure. Their responsibilities are:
- to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
- to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the supervisory authority; and
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR.
If you decide that you do not need to appoint a DPO, either voluntarily or because you do not meet the above criteria, it is a good idea to record this decision to help demonstrate compliance with the accountability principle. It is also a good idea, even if you do not appoint a DPO, to consider appointing someone as the primary point of contact for data protection issues.