Cookies & EU E-Privacy Directive

[scaryjim]

Hi Guys,

I assume I'm not the only web developer here who's starting to get a little twitchy about the amendments to the E-Privacy directive regarding storing cookies? Anyone got systems in place or found any loopholes around this yet? I've been having a read of the actual directive today, and it looks to me like there may be a number of circumstances in which you don't need to provide explicit information (as well as the ridiculous shopping cart exclusion). The relevant section (Article 5, Paragraph 3) includes the statement

This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Perhaps it's just me, but that seems to read that where a user has explicitly requested to do something on your service (e.g. to log in) you can store the log in cookie without providing extensive information that would otherwise be required.

Thoughts anyone?

[therac]

Hmm
I think its still uncertain as to what this means in practice. The Information Commissioner's own press release is at http://www.ico.gov.uk/~/media/docume..._08032011.ashx (apologies - stupid board restricts me from posting URL as link!) in which he states its challenging...
You could certainly argue that as long as you are improving directly the user's web viewing experience you dont have to pop up a warning box - that could go as far as sending him your targetted content, but if it extended to advertising he hadn't asked for such as Adsense, I suspect it steps over the line. Hopefully the browser developers will put a switch in so users can choose (just like for Javascript) and then its down to the developer to detect this and code for it (if the numbers implementing it make this worthwhile of course ).
Bit like accessibility I suspect - good practice is really all that is required a present as unlikely to result in a court case except in exceptional circumstances. I would wait and see what direct.gov and the ICO's own site do...

[yamangman]

Like a vast number of things data protection law-related, it is not well understood, least of all by the ICO. The problem is that until a complaint is tested in the courts of the UK, who really knows what is legal and what is not? Although the ICO has the power to take punitive action before it reaches the courts, any action enforced by the ICO can (and almost certainly will) be tested in the courts. In my opinion, if you use cookies for their purpose of maintaing state (over a single site/url), and are not sharing personal data with other organisations without explicit consent of the user, you should have nothing to fear. This is the approach that I use, and will continue to use.

[aidanjt]

Like all law, it's intentionally ambiguous and written in a manner which keeps plenty of work coming to the way of solicitors and barristers like the ones who wrote the bill in the first place. In software, ambiguity is seen as a bug, in law, it's seen as a vital feature.

[Saracen]

.... (apologies - stupid board restricts me from posting URL as link!) in which he states its challenging.......

The restriction is not stupid at all. It's because the vast bulk of the time, links posted by a brand new member are spamming links. When someone posts something legit and clearly isn't a spammer, as is the case with you, we can amend it manually. And the restriction only lasts for a few posts (by which time, we've normally dealt with spammers anyway).

It is occasionally a nuisance for very new members, but that rule is there for a good reason.