The information on this page is taken directly from the Information Commissioner's Office (ICO) Website - you may however want to download my free guide to the EU Cookie Law that has been written in much clearer English! - Click Here
This new law is known as the "EU Cookie Law" but its official title in the UK is:
The Privacy and Electronic Communications (Amendment) Regulations 2011 - Click Here
...which is an amendment to:
The Privacy and Electronic Communications (EC Directive) Regulations 2003 - Click Here
Cookies and personal data
Regulation 6 covers the use of Electronic Communications networks to store information, eg using cookies, or gain access to information stored in the terminal equipment of a subscriber or user.
Although devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of personal data.
Where the use of a cookie type device does involve the processing of personal data, service providers will need to make sure they comply with the additional requirements of the Data Protection Act 1998 (the Act). This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is excessive. Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed anonymously. This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website.
Confidentiality of communications and spyware
It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.
Information to be provided
Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so. This is comparable with the transparency requirements of the first data protection principle.
The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this.
Responsibility for providing the information and obtaining consent
The Regulations do not define who should be responsible for providing the information and obtaining consent. Where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for complying with this Regulation.
Exemptions from the right to refuse a cookie
The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:
- for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.
In defining an "information society service" the Electronic Commerce (EC Directive) Regulations 2002 refer to 'any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service'.
The term "strictly necessary" means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the service provider might be subject to, for example, the security requirements of the seventh data protection principle.
Where the use of a cookie type device is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent..
The 2003 Regulations implemented a European Directive - 2002/58/EC - which is concerned with the protection of privacy in the electronic communications sector. In 2009 this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment – in other words a requirement to obtain consent for cookies and similar technologies.
Governments in Europe had until 25 May 2011 to implement these changes into their own law. The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. However they extended the act for 1 year so businesses could take the relevant action. This new law is being enforced from the 26th may 2012
EVERY business is now required to:
- Perform an Audit of all the cookies on their Website pages
- Introduce a mechanism on their website that captures the consent of a visitor BEFORE any cookie is placed on their PC/Laptop/iPad/Smartphone etc
Are you ready to comply with this new law?
You may want to download my free guide to
the EU Cookie Law that has been written in much clearer English!
- Click Here