10 May 2011

Cookies, Etc - The New Rules

The Information Commissioner's Office (ICO) has now published its initial guidance on how cookies and similar technologies for storing information on user's equipment. This becomes a legal requirement from 26th May 2011, following an amendment to the EU Privacy and Electronic Communications Directive.

Partial view of a page from the ICO guidance on cookies 'Changes to the Rules on Using Cookies and Similar Technologies for Storing Information' with the text 'Third Party Cookies. Some websites allow third parties to set cookies on a user's device. If your website displays content from a third party (eg from an advertising network or a streaming video service) this third party may read and write their own cookies or similar technologies onto

I had discussed the change last month, but now the guidance has been published. It does appear to be a reasonable, practical, approach but is still work-in-progress and will be subject to change. In general, it requires UK organisations to obtain informed consent from visitors to their UK web sites in order to store and retrieve information on users' computers (including mobile devices).

The ICO advises organisations to take three steps:

  • Check what type of cookies and similar technologies are implemented and how they are used.
  • Assess how intrusive the use of cookies is.
  • Decide what solution to obtain consent will be best in the particular circumstances.

Generally both notice to the user and consent will be required. However, two important exclusions exist for technical storage of, or access to information:

  • for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

This is why temporary state management session identifiers (IDs) used only for the purpose of the provision of a service requested by the user (e.g. looking at an area of a web site they have chosen to access, to log in to a member-only area, to use a shopping basket), are probably excluded from the requirement for consent. But organisations need to check what information is being collected & stored using cookies, etc, when it is being collected, and how it is being used. If session data (as cookies, etc) is transient and only used for the purpose of navigating the site, I would argue it is strictly necessary.

The guidance reminds organisations "strictly necessary" means it must be limited to a small range of activities, and encourages organisations to test whether the activity was "explicitly requested" by the user in some way. Persistent cookies which last beyond the user's current session (e.g. remember me, site customisation) are very likely to require consent, and this is an area where further guidance would be welcome (e.g. session management without authentication).

The guidance includes information on how to obtain consent, and in particular discusses passing data to third parties and the use of third party cookies. If you must allow third party content, the onus is still on you to make sure your site, and all its content, complies with the new law. See also the previously mentioned IAB Europe Self Regulation Guidelines.

Remember, this is not just about cookies — all similar technologies for storing information on the user's device which can then be retrieved are covered by the new requirements. So that will include:

  • HTTP cookies
  • Local Shared Objects (LSO) i.e. Flash cookies
  • userData in DHTML Behaviors
  • data in a Google Gears database
  • data in an Indexed Database API
  • local data storage in mobile applications
  • HTML5 storage

...and anything similar that exists now or in the future.

It's a busy week for the ICO; this afternoon, it will publish the new Data Sharing Code of Practice (see my discussion about the consultation last year).

Posted on: 10 May 2011 at 09:01 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Cookies, Etc - The New Rules
http://www.clerkendweller.com/2011/5/10/Cookies-Etc--The-New-Rules
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/5/10/Cookies-Etc--The-New-Rules
Requested by 38.107.179.223 on Thursday, 17 May 2012 at 23:00 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2012 clerkendweller.com