EU Cookie Law

As From Saturday 26th May, British Businesses Will Be Liable To A £500,000 Fine From The ICO If Found Guilty Of Not Complying With The EU Cookie Law.

Our Cookie Law Service Ensures YOU Stay Safe. One time low cost soloution

You may have noticed some of the biggest websites in the UK asking visitors for consent to use cookies? You’d also be right in thinking that your business needs this protection too. Businesses large and small are liable to a maximum fine of £500,ooo should you not comply. So what is ‘implied consent’ exactly? Here are some pointers worth noting from the updated cookies guidance (May 2012):

•    Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
•    Relying on implied consent? You need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
•    You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
•    In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

What does this mean?

The UK Regulations mean that a website operator must not store information (or gain access to information stored in the computer or other web-enabled device) of a visitor unless the visitor “is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information” and “has given his or her consent”.  This replaces the previous rule which stated that visitors should be given the option to refuse cookies.

The only cookies that do not need visitors’ consent are those that are necessary to fulfill the visitor’s request. That will cover, for example, the use of cookies to remember the contents of a visitor’s shopping cart as the user moves through several pages on a website. Other cookies, including those used to count visitors to a site and those used to serve advertising, will require consent.

Yes! Google Analytics Requires Consent Of The Visitor!

Are they trying to ruin my business?

Remember that this rule is NOT to stop your business from collecting useful data to improve your website and to improve your business. These are legitimate uses, as are eCommerce cookies for tracking a users progress in order to give them the best experience you can. Rather, it’s to stop spyware and other malicious uses of cookies which might have criminal motives behind them.

Information to be provided

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this.

Our Cookie Law Service Ensures You’re Covered with a one time low cost soloution.

Responsibility for providing the information and obtaining consent

The ICO Provides this statement of where the responsibility lies: “Where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for complying with this Regulation.”

Exemptions from the right to refuse a cookie

The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:
•    for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
•    where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.

In defining an ‘information society service’ the Electronic Commerce (EC Directive) Regulations 2002 refer to ‘any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’.

The term ‘strictly necessary’ means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the service provider might be subject to, for example, the security requirements of the seventh data protection principle.

Where the use of a cookie type device is deemed ‘important’ rather than ‘strictly necessary’, those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.

This post was written By

This entry was posted in Uncategorized. Bookmark the permalink.