EU Cookie Law Details

[SuperCharlie]

Even though I am not in the EU, this issue is important to me as a long time developer. I ran across this slashdot discussion which led me to this guidance document from ico.gov.uk. Note this is a pdf file. >>Here<<

 

In general, it appears this law does not ban cookies for the normal and necessary operation of a website. What the intent and object of this law is to force websites who use tracking such as google analytics or other types or persistent user profiling to request the consent of the web surfer to accept and agree to be tracked.

 

On page 10-12 or so of that document there are some examples of things that are exempted by example in this guidance:

 

 

This exception is likely to apply, for example, to a cookie used to ensure that when a user of a site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page. This cookie is strictly necessary to provide the service the user requests (taking the purchase they want to make to the checkout) and so the exception would apply and no consent would be required.

 

The Information Commissioner is aware that there has been discussion in Europe about the scope of this exception. The argument has been made in some areas that cookies that are used for resource planning, capacity planning and the operation of the website, for example, could come within the scope of the exemption. The difficulty with this argument is that it could equally be made for advertising and marketing cookies (whose activities help to fund websites). The intention of the legislation was clearly that this exemption is a narrow one and the Commissioner intends to continue to take the approach he has outlined clearly in published guidance since the 2003 Regulations were introduced.

 

Activities likely to fall within the exception

 

A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket

 

Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services

 

Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.

 

 

Activities unlikely to fall within the exception

 

Cookies used for analytical purposes to count the number of unique visits to a website for example

 

First and third party advertising cookies

 

Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

 

So it looks like.. in general, as long as the cookie is for the necessary functionality of the website, such as shopping carts, and not a trivial use or for tracking or advertising, you can use cookies and not ask for explicit permission.

 

This is just my opinion from the source document. I am no lawyer and take no liability for your use of this information.

 

Cheers.

[david_king]

I would agree with this. Seems like the UK government has taken a step back from it's original plan http://apps.facebook.com/theguardian/technology/2012/may/26/cookies-law-changed-implied-consent in any case I thin that the law is un-policeable.

[codegrunt]

Another issue to keep in mind is the reality of whether this policy will be enforced or not. For example, here in Canada we have very strict privacy laws but very little active enforcement of them. Considering the sheer number of websites out there affected by this and the landscape of public sector budgets, it is doubtful that any agency is going to suddenly start hiring cookie police to make arrests (as david_king notes as well).