Legal change - You need to obtain user consent if you use cookies on your website
Archive - Originally posted on "The Horse's Mouth" - 2012-06-01 18:50:17 - Graham Ellis
The law which applies to how we use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device changed on 26 May 2011. There has been a year's "grace" in the UK prior to the adoption of this new law, but as from this coming Monday, it's adopted. There's a European-wide directive, so complying in the UK should help you comply across Europe too, but the Information Commissioner's web site tells us that the UK is ahead of the game in implementing the directive, so it's going to be a little harder / bit more of a learning process in this country. There's an introduction FAQ and video on the ICO web site [here].
In summary, the law states: Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment: (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.
In updated guildelines published last month, the Information Commissioner's Office states "Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies". It goes on to say that "Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies." and warns that "You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand."
Over the last week or so, you'll have seen extra notices about cookies turning up on many sites - I've noticed places such as the BBC, the Daily Telegraph and HSBC in my personal browsing. It appears that the general pattern is to provide a very clear link on the front page (perhaps in the form of a first-visit-only popup) saying that if you go further you consent, and it points you to a link which describes the site's use of cookies.
Certain exemptions are offered: The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used: (a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.
In defining an 'information society service' the Electronic Commerce (EC Directive) Regulations 2002 refer to 'any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service'. unfortunately, anyone who provides a free forum is not doing it for remuneration, and so it appears to me that free forums such as our Great Western Coffee Shop have to complyalthough we wouldn't have to if we charge a fee for people to join or use the forum!
I'm in the process of updating our privacy policy on this site, which is [here] to make it more explicit with regards to cookies, and will be providing more obvious first time links to it. And I will be adding a statement to the effect that "if you do not agree to this use of cookies, please don't use our site". I'll also be adding a reminder that individual users can alter their cookie preferenced in most browsers if they wish. I am not a lawyer, and what I am doing is my best understanding of what is necessary. You should check with your legal advisor if you are in any doubt as to the new law and how it applies to you, as we cannot take any responsibility at Well House Consultants for errors or ommissions in this post, nor for any consequences that arise from those errors or ommissions.
The ICO site admits that complying with the new law may not be easy and involves considerable work for many site providers (I know I'm going to be on it for various sites for a day or two - thank goodness our sites are reasonably well structured) - and they state that they're going to take a softly approach to start with - advising, and then perhaps applying enforcement notices, and they don't see that they'll be using their powers to apply quite large fines to site operators who don't comply.
Franlky, what a hassle for small businesses especially. I can see many people having to do a very great deal of work to provide extra information about their web sites which will very rarely even be looked at. And yet the cost of that extra work will need to be passed on / back to the customer!