There is a common misunderstanding that cookies are regulated by the General Data Protection Regulation (GDPR). In fact, the law on cookies mainly comes from the EU ePrivacy Directive of 2002, as amended in 2009. There have been steps at EU level over almost a decade to replace the ePrivacy Directive with a new ePrivacy Regulation, which would apply directly and consistently in all Member States. However, as of now there has been no agreement on this proposed legislation. The provisions of the ePrivacy Directive therefore continue to apply to the use of cookies and similar tracking.

The ePrivacy Directive recognises that the devices of users of electronic communications networks and any information stored on their devices are part of their “private sphere” and that they require protection. It notes that so-called “spyware, web bugs, hidden identifiers and other similar devices” can enter the user’s device without their knowledge and that this may seriously intrude on the privacy of those users.

The purpose of the law on cookies is therefore to protect individuals from having information placed on their devices, or accessed from their devices, without their consent, as this may interfere with the confidentiality of their communications.

In Ireland, the ePrivacy Directive is transposed into the law of the State by Statutory Instrument No. 336 of 2011, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“the ePrivacy Regulations”).