Find us on:
Not much to report today, except that websites operating in the United Kingdom should be aware that you now need to get end users’ consent before you can drop cookies on their computers. No, we’re not talking about those hard-to-remove flash cookies, but virtually any cookies, even those collecting anonymized information for the benign purpose of web analytics (which on this side of the pond is considered part of the normal operations of a commercial website, so much so that the FTC doesn’t care too much about it, as long as there is appropriate disclosure in the site’s privacy policy and the cookies can be easily removed).
Under the amended Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, generally speaking a person may not “store or gain access to information stored, in the terminal equipment of a subscriber or user” unless the subscriber or user of that terminal equipment– “(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.” The effective date for enforcement of the regulation (previously extended) is now May 1, 2012. You can find a guidance from the Information Commissioner’s Office (ICO) about the cookie regulations here.
The only exceptions to the consent requirement are where the cookie or device will be used for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or “where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.” An “information society service” (nice phrase there) means “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service.”
So far quite a few British sites have appeared to ignore the amended regulations (of course, it’s only been in force for seven days). The regulations don’t explicitly require an opt-in (one can imagine the disastrous effect on website useability of that approach, although naturally the ICO does it on their site), and the guidance indicates that implied consent — agreement through behavior, such as (conceivably) browsing the site — can be appropriate if there is a sufficient level of awareness of the cookie policy on the user’s part before a cookie is dropped. At the same time, standard privacy policy disclosures about cookies alone don’t seem to be sufficient; something else is required.
So … if you’re going to be serving tea and cookies across the pond, remember that your guests need to consent.
