Here's our legal eagle, Claire Shepherd IP/IT Solicitor, views on understanding what businesses should do until new EU law affecting the use of cookies comes into play in the UK :
We can’t be 100% sure what businesses will be required to do until the Regulations are actually implemented in the UK at the end of May. If the Information Commissioner’s Office (ICO) publishes guidance at this point, it will help online businesses understand what they should and should not do with regard to the use of tracking cookies on sites. The reason? The new European Directive unfortunately doesn’t spell it out - if the exact wording of the new Directive is implemented in the UK verbatim, exactly what qualifies as user’s ‘consent’ to the use of tracking cookies will remain controversial. Various bodies (e.g. Interactive Advertising Bureau, European Publishers’ Council, Article 29 Working Party, which is a group of EU data protection regulators) all have different viewpoints about what whether simply updating the privacy policy is enough to qualify as consent, or whether websites, as soon as the user enters the site, need to obtain the user’s consent through ‘accept’ buttons or opt-in boxes.
The new Directive says that the “storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or consent, having been provided with clear and comprehensive information”. It does not spell out whether the user needs to give “explicit consent” which would imply the use of opt-in boxes or an ‘accept’ button.
Until further guidance is issued, you should attempt to comply with the current UK Regulations by giving the user as much clear, comprehensive and accessible information as possible about your use of cookies. For example, following Google’s privacy policy (http://www.google.com/privacy/privacy-policy.html), you should put a section in your privacy policy which informs the user that you will be using tracking cookies, what you use the cookies for (e.g. measure traffic, provide behavioural advertising), and inform the user how they can change the settings on their site account, that they can change their browser settings to refuse cookies (and, if relevant, how they can change preferences regarding behavioural advertising cookies). Ideally, the privacy policy should be easily accessible through a hyperlink on every page.
I find it hard to believe that the new UK Regulations will demand that every online business must obtain the user’s consent through opt-in boxes or ‘accept’ button before the user can even use the site – as this would be a serious hassle for both the user and the website owner. We should find out soon!
Further reading :
http://www.bbc.co.uk/news/technology-12668552
http://www.bbc.co.uk/news/technology-12677534
http://www.out-law.com/page-5486
