The Information Commissioner's Office (ICO) has now published its initial guidance on how cookies and similar technologies for storing information on user's equipment. This becomes a legal requirement from 26th May 2011, following an amendment to the EU Privacy and Electronic Communications Directive.
I had discussed the change last month, but now the guidance has been published. It does appear to be a reasonable, practical, approach but is still work-in-progress and will be subject to change. In general, it requires UK organisations to obtain informed consent from visitors to their UK web sites in order to store and retrieve information on users' computers (including mobile devices).
The ICO advises organisations to take three steps:
- Check what type of cookies and similar technologies are implemented and how they are used.
- Decide what solution to obtain consent will be best in the particular circumstances.
Generally both notice to the user and consent will be required. However, two important exclusions exist for technical storage of, or access to information:
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
This is why temporary state management session identifiers (IDs) used only for the purpose of the provision of a service requested by the user (e.g. looking at an area of a web site they have chosen to access, to log in to a member-only area, to use a shopping basket), are probably excluded from the requirement for consent. But organisations need to check what information is being collected & stored using cookies, etc, when it is being collected, and how it is being used. If session data (as cookies, etc) is transient and only used for the purpose of navigating the site, I would argue it is strictly necessary.
The guidance reminds organisations "strictly necessary" means it must be limited to a small range of activities, and encourages organisations to test whether the activity was "explicitly requested" by the user in some way. Persistent cookies which last beyond the user's current session (e.g. remember me, site customisation) are very likely to require consent, and this is an area where further guidance would be welcome (e.g. session management without authentication).
The guidance includes information on how to obtain consent, and in particular discusses passing data to third parties and the use of third party cookies. If you must allow third party content, the onus is still on you to make sure your site, and all its content, complies with the new law. See also the previously mentioned IAB Europe Self Regulation Guidelines.
Remember, this is not just about cookies — all similar technologies for storing information on the user's device which can then be retrieved are covered by the new requirements. So that will include:
- HTTP cookies
- Local Shared Objects (LSO) i.e. Flash cookies
- userData in DHTML Behaviors
- data in a Google Gears database
- data in an Indexed Database API
- local data storage in mobile applications
- HTML5 storage
...and anything similar that exists now or in the future.
It's a busy week for the ICO; this afternoon, it will publish the new Data Sharing Code of Practice (see my discussion about the consultation last year).