When you visit a website, more often than not, a small text file called a "cookie" is sent to your computer. Now, what possible use is a cookie without a glass of milk, this Naked Lawyer asks?
Well, the purpose of a cookie is to store data. For example, if you log onto a website and give details such as your name and e-mail address, the cookie will maintain your log-in details so that you do not have to log back in the next time you visit the site. A shrewd advertising tactic? Yes. An invasion of privacy? Potentially.
Cookies are currently regulated by the 2002 European Communities Directive on Privacy and Electronic Communications. Under the Directive, provided website users are given “clear and comprehensive information” about the purposes of cookies and are given the opportunity to refuse to have cookies stored on their equipment, cookies can be used for activities such as advertising, analysing website effectiveness and identifying online purchasers. Currently website owners comply with this requirement by putting information about cookies in a privacy policy and then adding a link to the policy to every page of their website.
Now proposed amendments to the law on cookies suggests that users may have to give prior consent in order to allow cookies. (This is subject to an exemption if the cookies are “strictly necessary” i.e. they enable a specific service explicitly requested by the user.) At this stage it is completely unclear what prior consent under the new proposals will mean in practical terms. A website owner could perhaps consider the following pop-up message on entry to their site: "click here for a cookie (non chocolate chip variety)". However, a pop-up message is arguably very cumbersome and not least rather off-putting to passing website traffic. This Naked Lawyer awaits the developments...
I assume you are referring to the provisions of Article 2(6) of the EU ‘Telecoms Package’, amending Article 6(3) of Directive 2002/58/EC? If so, isn't this merely clarifying that an ISP must have "prior" consent to use traffic data for marketing purposes?
Confusingly,perhaps, it's Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which implement Directive 2002/58/EC in the UK, that deals with setting cookies. It prohibits the use of a public network to store or access information stored in a subscriber’s or user’s computer unless clear, comprehensive information about the purposes of storage and access is given, with an opportunity to refuse permission. ICO guidance allows presumed consent, with a clearly displayed privacy policy or other means of opt-out to enable a user’s refusal (http://www.ico.gov.uk/upload/documents/library/privacy_and_electronic/detailed_specialist_guides/pecr_guidance_part2_1206.pdf)
Posted by: Pragmatist | June 05, 2009 at 02:42 PM
Hiya,
Is this in reference to 52a.
"(52a) Third parties may desire to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (e.g. certain types of cookies) to those involving unwarranted intrusion into the private sphere (e.g. spyware or viruses). It is therefore of paramount importance that users are provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of giving information and offering the right to refuse should be made as user-friendly as possible. An exception to the obligation to provide information and offering the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's will to accept processing may be expressed by way of using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of the enhanced powers granted to the relevant national authorities under Article 15a of this Directive."
I'm as far removed from having any legal foo as I can imagine - but I read that as that browser must offer opt-out options rather than the website?
Posted by: Andrew | June 08, 2009 at 12:58 PM