Regulatory Developments

Last updated: 
6 days 22 hours ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Article 29WP on Cookies

Wednesday, June 6, 2012 - 10:58

Although its main concern is the more general application of consent to data processing a new Opinion from the Article 29 Working Party also provides the first positive hint I’ve seen from regulators on what they think an acceptable cookie interface might look like. Although this is a helpful development – statements from other regulators have mostly concerned what was not acceptable – their ideas still seem to raise significant technical and legal issues.

The amended Privacy and Electronic Commerce Directive (2002/58/EC) introduced a requirement that information may only be stored on a user’s computer (typically in the form of a cookie) with their consent. The previous legislation required that the cookie be documented and the user offered the right to refuse it if they wished (generally understood to be satisfied by the ability to delete and block cookies in a browser). Since the main discussion of the Opinion concludes that consent can only be expressed by an unambiguous positive action, it is not surprising that the Working Party consider that a web browser that allows cookies by default and relies on the user taking action to disable them is not a satisfactory way to obtain this consent. Instead they propose that browsers should block all cookies by default and then “require users to go through a privacy wizard when they first install or update the browser and provide for an easy way of exercising choice during use" (p32).

That sounds good, but to write either a wizard or a user-friendly “way of exercising choice” seems to require more machine-readable information about cookies and their function than is currently available. Users will presumably want to tick boxes for options like “allow shopping carts” or “make TERENA’s login work” but all the information that the browser has to go on, as far as I know, is where the cookie came from, which URLs it wants to be associated with, and how long it wants to be stored. Nothing to tell me what the function of all those __utma cookies is or allow me to select in any meaningful way whether or not I want to allow websites to analyse my browsing patterns. Adding those would seem to require coordinated changes to both browsers and cookie-using websites, and perhaps the development of a way of expressing cookie purpose unless something like P3P descriptions (thanks to Brian Kelly for pointing these out) can be used to express that kind of user-comprehensible rule.

And the idea of a wizard then makes me wonder how a particular cookie use gets added to the wizard. If a new advertising network or analytic system has to ask browser vendors for a listing in their particular wizard, aren’t we getting dangerously close to the sorts of concerns that have led to debates and some legislation on network neutrality?

Cookies
Privacy
ePrivacy Directive
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo