Regulatory Developments

Last updated: 
2 months 3 days ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Cookies: More information, and a demonstration

Wednesday, June 6, 2012 - 10:50

With a new law on obtaining consent for cookies coming into force today, the Information Commissioner has published details of how the ICO's own site has been updated to comply. There appear to be three main changes:

  • A lot more information on the privacy statement about the names and purposes of each cookie, and how access to the site will be affected if they are not accepted;
  • Notice of the session cookie that appears to be essential for the site to perform its function (and which will have already been installed by the time the user reads the notice);
  • A checkbox at the top of every page allowing the user to consent to the use of cookies. It appears that unless consent is granted, the site will not present the Google Analytics cookies that it and many other sites use.

While the first two of these should be relatively simple for others to follow, the checkbox looks tricky to implement for any site that does not use a single Content Management System. However it is not clear from the ICO's information whether difficulty of implementation is something that organisations are allowed to consider in determining how to comply with the law, or what other approaches to obtaining consent for analytics and similar cookies will be acceptable.

An open letter from the Department for Culture, Media and Sport explaining its approach to transposing the Directive into UK law does suggest that difficulty of implementation might be a relevant factor by recognising that "in certain circumstances it is impracticable to obtain consent prior to processing". However the proposed solution to this problem seems certain to cause legal confusion, since it requires the word "consent" to have different meanings in different articles of the Directive! In Regulation 6, dealing with cookies, the word is used without qualification, leading the Government to conclude that here "consent may be given after or during processing" even though "in its natural usage 'consent' rarely refers to a permission given after the action for which consent is being sought has been taken". The Government therefore argue that the "consent" required for cookies (which may be obtained during or after the event) is different to the "prior consent" that the same Directive and Regulations require before personal data may be processed for marketing or value added services (Regulation 7). [For those struggling, like me, to have both the original legislation and the amendments open on the same screen, Jon Warbrick has a marked up version of Regulation 6 on his blog]

The letter also appears to contain a puzzle over when a web site will be able to rely on cookie settings in users' browsers. It agrees with others that "current browser default settings [are not] enough to constitute consent", but confirms that the text of the law does "allow for the subscriber not to amend settings and still signify consent". In other words, at some point in future, websites will be able to rely on browser settings as an indication of the user's wishes. But it's not at all clear to me how we get from one situation to the other, unless the Department is planning to announce one day that henceforth unchanged browser settings can be relied upon to indicate consent, or to grant particular browser versions a "consent-approved" status? In the meantime it seems that both browsers and websites will have to develop systems for obtaining consent that will inevitably duplicate (and possibly conflict with) each other.

Fortunately the Information Commissioner has also declared a grace period of a year before full enforcement measures will be taken against those who have not implemented the new law. However the actions taken by sites in those twelve months may be taken into account in any subsequent enforcement action, so this definitely isn't an excuse to do nothing. It's to be hoped that in a year's time the balance between the duties of sites and browsers is a lot clearer than it seems now.

[UPDATE Brian Kelly has comments on the new law from a web manager's perspective]

[UPDATE The European Commissioner has also offered a year's grace period for sites to comply with the regulations, but threatened to "employ all available means" against those who do not]

Cookies
Privacy
ePrivacy Directive
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo