Cookie Law – What Is It?
The Cookie Law, as its has come to be known, was implemented to protect people’s privacy online. It is designed to keep them informed about what is collected and how it is used, and then to give them the choice to allow it or not.
Implementation In UK Law
It was implemented in the UK on 26th May 2011 following an EU directive. The directive mandated all EU countries adopt it in local law by 25th May 2011. All websites owned in the EU or targeted towards EU citizens, are now expected to comply. For the UK, the Privacy and Electronic Communications Regulations were updated. Interestingly though, each country has interpreted and implemented the directive in different ways.
6.—(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment— (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information— (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where generic to adipex such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
which can be loosely interpreted as:
A website owner cannot store or use information stored on a user’s computer, unless the user has been provided with clear and comprehensive information for the need, and the user has given consent to do so.
The exception to this is when the user requests a service that can strictly only be provided by storing or getting access to information stored on the user’s computer.
Cookies that are considered to be strictly necessary:
- Cookies used to manage items in a shopping basket
- Cookies for managing essential security measures such as logging onto this website
- Cookies used for quick loading and distribution of content
Cookies or services that are NOT considered strictly necessary:
- Google Analytics, or other software used to analyse visitor activity on the website
- Cookies for managing user preferences
- First and third party advertising cookies
- Share or Like Buttons
The general view is that the more privacy intrusive the use of a cookie is, the more the website should be obliged to ensure the user is made aware and has provided their consent. Unfortunately, there is no granular way of defining cookies and so we are left with what can only be considered a sliding scale of privacy intrusion. Those cookies that maintain a detailed profile of a user’s browsing behaviour, particularly across multiple websites, being among the worst offenders.
They have investigatory powers and can in theory impose fines of up to £500,000 for serious breaches of the regulations. They have said however, that they would be unlikely to use those powers for non-compliance, leading to many sites ignoring the law entirely.