The information on this page is taken directly from the Information Commissioner's Office (ICO) Website - you may however want to download my free guide to the EU Cookie Law that has been written in much clearer English! - Click Here
Introduction
The law which applies to how
you use cookies and similar technologies for storing information on a
user’s equipment such as their computer or mobile device changed on 26
May 2011, however UK businesses have had a year's extension to implement
the the new regulations - this extension runs out on the 26th may 2012.
This new law is known as the "EU Cookie Law" but its official title in the UK is:
The Privacy and Electronic Communications (Amendment) Regulations 2011 - Click Here
...which is an amendment to:
The Privacy and Electronic Communications (EC Directive) Regulations 2003 - Click Here
Cookies and personal data
Regulation 6 covers the use of Electronic Communications networks to
store information, eg using cookies, or gain access to information stored
in the terminal equipment of a subscriber or user.
Although
devices which process personal data give rise to greater privacy and
security implications than those which process data from which the
individual cannot be identified, the Regulations apply to all uses of
such devices, not just those involving the processing of personal data.
Where the use of a cookie type device does involve the processing of
personal data, service providers will need to make sure they comply with
the additional requirements of the Data Protection Act 1998 (the Act).
This includes the requirements of the third data protection principle
which states that data controllers must not process personal data that is
excessive. Where personal data is collected, the data controller should
consider the extent to which that data can be effectively processed
anonymously. This is likely to be particularly relevant where the data is
to be processed for a purpose other than the provision of the service
directly requested by the user, for example, counting visitors to a
website.
Confidentiality of communications and spyware
It should be remembered that the intention behind this Regulation is
also to reflect concerns about the use of covert surveillance mechanisms
online. Here, we are not referring to the collection of data in the
context of conducting legitimate business online but the fact that
so-called spyware can enter a terminal without the knowledge of the
subscriber or user to gain access to information, store information or
trace the activities of the user and that such activities often have a
criminal purpose behind them.
Information to be provided
Cookies or similar devices must not be used unless the subscriber or
user of the relevant terminal equipment:
(a) is provided with
clear and comprehensive information about the purposes of the storage of,
or access to, that information; and
(b) has given his or her
consent.
The Regulations are not prescriptive about the sort of
information that should be provided, but the text should be sufficiently
full and intelligible to allow individuals to clearly understand the
potential consequences of allowing storage and access to the information
collected by the device should they wish to do so. This is comparable
with the transparency requirements of the first data protection
principle.
The Regulations state that once a person has used such
a device to store or access data in the terminal equipment of a user or
subscriber, that person will not be required to provide the information
described and obtain consent (and discussed above) on subsequent
occasions, as long as they met these requirements initially. Although the
Regulations do not require the relevant information to be provided on
each occasion, they do not prevent this.
Responsibility
for providing the information and obtaining consent
The
Regulations do not define who should be responsible for providing the
information and obtaining consent. Where a person operates an online
service and any use of a cookie type device will be for their purposes
only, it is clear that that person will be responsible for complying with
this Regulation.
Exemptions from the right to refuse a
cookie
The Regulations specify that service providers
should not have to provide the information and obtain consent where that
device is to be used:
- for the sole purpose of carrying out or
facilitating the transmission of a communication over an electronic
communications network; or
- where such storage or access is strictly
necessary to provide an information society service requested by the
subscriber or user.
In defining an "information society service"
the
Electronic Commerce (EC Directive) Regulations 2002 refer to 'any
service normally provided for remuneration, at a distance, by means of
electronic equipment for the processing (including digital compression)
and storage of data, and at the individual request of a recipient of a
service'.
The term "strictly necessary" means that such storage of
or access to information should be essential, rather than reasonably
necessary, for this exemption to apply. However, it will also be
restricted to what is essential to provide the service requested by the
user, rather than what might be essential for any other uses the service
provider might wish to make of that data. It will also include what is
required to comply with any other legislation the service provider might
be subject to, for example, the security requirements of the seventh data
protection principle.
Where the use of a cookie type device is
deemed 'important' rather than 'strictly necessary', those collecting the
information are still obliged to provide information about the device to
the potential service recipient and obtain consent..
Quick
Summary
The 2003 Regulations implemented a European
Directive - 2002/58/EC - which is concerned with the protection of
privacy in the electronic communications sector. In 2009 this Directive
was amended by Directive 2009/136/EC. This included a change to Article
5(3) of the E-Privacy Directive requiring consent for storage or access
to information stored on a subscriber or users terminal equipment – in
other words a requirement to obtain consent for cookies and similar
technologies.
Governments in Europe had until 25 May 2011 to
implement these changes into their own law. The UK introduced the
amendments on 25 May 2011 through The Privacy and Electronic
Communications (EC Directive) (Amendment) Regulations 2011. However they
extended the act for 1 year so businesses could take the relevant action.
This new law is being enforced from the 26th may 2012
EVERY business is now required to:
- Perform an Audit of all the cookies on their Website pages
- Update their Privacy Policy about the usage of each cookie and what is does
- Introduce a mechanism on their website that captures the consent of a visitor BEFORE any cookie is placed on their PC/Laptop/iPad/Smartphone etc
Are you ready to comply with this new law?
You may want to download my free guide to
the EU Cookie Law that has been written in much clearer English!
- Click Here