Advice on how UK businesses and organisations can comply with a new EU law on the use of cookies technology has been published today by the Information Commissioner’s Office (ICO).
The law, which will come into force on 26 May 2011, comes from an amendment to the EU’s Privacy and Electronic Communications Directive.
The advice, which follows the publication of UK regulations by the Department for Culture, Media and Sport, will help people to consider what type of cookie or similar technology their website uses and for what purpose, how intrusive their use is, and offers advice on what solution for obtaining consent will suit them.
From the advice:
What do the new rules say?
The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent.
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment–
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to
signify consent.(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.