New EU cookie law


Recommended Posts

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

Cookies and personal data

Regulation 6 covers the use of electronic communications networks to store information, eg using cookies, or gain access to information stored in the terminal equipment of a subscriber or user.

Although devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of personal data.

Where the use of a cookie type device does involve the processing of personal data, service providers will need to make sure they comply with the additional requirements of the Data Protection Act 1998 (the Act). This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is excessive. Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed anonymously. This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website.

Confidentiality of communications and spyware

It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.

Information to be provided

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so. This is comparable with the transparency requirements of the first data protection principle.

The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this.

Responsibility for providing the information and obtaining consent

The Regulations do not define who should be responsible for providing the information and obtaining consent. Where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for complying with this Regulation.

Read the reast at the source, there is even a video and a .PDF.

Link to comment
Share on other sites

This topic is now closed to further replies.