Privacy Statements and Cookie Notices on Websites-What You Need to know


Have you noticed those annoying website “cookie” notices popping up nearly everywhere on the  internet?

Well, there is good reason for them.

They are a legal requirement in Ireland and Europe and breaches of the law covering data protection-the Data Protection Acts 1988 and 2003 and Statutory Instrument 336 of 2011-can lead to fines of up to €100,000 and deletion of the data collected via the website.

(Statutory instrument 336 of 2011 deals with European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.)

Privacy statement v privacy policy

Note that there is a significant difference between a privacy statement and a privacy policy.

A privacy statement is a legal requirement for all websites in Ireland and the EU. It is a public statement of how the owner/operator of the website applies the 8 data protection principles to data processed on its website.

A privacy policy, on the other hand, sets out how the operator/owner of the website applies the 8 principles to the way in which it processes data across the organisation. This data would include employee, third party, and customer data.

Website cookies

Regulation 5 of SI 336 of 2011 covers the use of “cookies” by website operators/owners. A cookie in this context is a small file that can be downloaded to your computer or phone when you visit certain websites. This regulation provides

  1. that you as website visitor should be told why this is being done and
  2. that you should be given the opportunity to give your consent or decline.

This, then, and a prosecution by the Data Protection Commissioner and a potential fine of €100,000 is why you will have seen these “cookie consent” notices popping up on websites.

If you operate a website and it uses cookies or web beacons, or collects personal data, or collects ip addresses or emails, your website needs a privacy statement.

What information should be contained in a privacy statement?

  1. The clear identity and contact details for the operator of the website
  2. The purpose of collecting the data
  3. The right of access to any personal data collected
  4. The right of rectification or erasure
  5. If the data collected can be released to a 3rd party-this should be made clear
  6. The extent of the data being collected
  7. Whether the website uses cookies and the extent
  8. If cookies are used, the visitor should be able to consent to their use or opt out.

If your privacy statement contains the information set out above your website should be compliant with the law in this area and the requirements of the Data Protection legislation in Ireland.

However, you can also go a step further by providing the following information:

  • Your commitment to maintaining security of any data collected
  • Some form of complaints resolution mechanism should be considered
  • How long you retain data, for example credit card information could be deleted once a transaction is complete
  • That the data collection is not excessive but only relevant data is collected
  • How data subjects can update their information to ensure the data that is held is accurate.

Where to put the privacy statement

It should be readily accessible from any page on your website, not just on your home page, as a huge amount of traffic visiting your site may visit your site through landing on a page other than your home page.

What you should do now

If you are responsible for a website or blog you should ensure that you have a legally compliant and robust privacy statement on your site.

I can provide you with one-you can contact me here.