Which Cookies? Which Law?
An interesting question on the EU's new cookie law is which cookies am I responsible for. For example when reading this blog you will receive some cookies from the underlying Wordpress platform for purposes such as maintaining your session, remembering your name and e-mail if you leave a comment so you don't have to re-type them next time and so on. You also get a cookie from pixelstats because I've chosen to use that to measure the number of visitors to my pages so I can work out which are popular and try to write and do more on those topics. As it happens, JANET(UK) runs its own Wordpress server, so we are responsible for ensuring that all of those cookies comply with the law. But what if the blog was on an outsourced Wordpress server run by someone else? In that case I'd have no control at all over the session and memory cookies, indeed I might not even know about all of them if the platform behaved differently for different browsers or operating systems that I don't run. So it would seem a bit unfair if the law made me responsible for them. Fortunately, as far as I can see, it doesn't. Regulation six (as amended) says:
a person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
[note that, as usual in law, "person" includes both humans (natural persons) and organisations (legal persons)]
I think that means that I am responsible for the pixelstats cookies, because I am the person that controls whether or not those are stored in your browser by choosing (or not) to enable that code on my site. However I hope it also means that the cookies stored and read by the Wordpress platform are the responsibility of the person who operates the platform. So that's a good thing...
Or is it? It means that when you visit a page on a website of any complexity, you may be getting cookies from separate organisations. So each of those organisations is going to have to ensure that consent has been obtained for its own cookies. And since none of them can know about the cookies installed by the others, those consent mechanisms are all going to be separate too. So, for example, my privacy page will tell you about the pixelstats cookies (I confess: it doesn't yet, but we are working on it), but to find out about the Wordpress ones you'll have to go to the Wordpress page. And suppose I were to include other web services in frames... If any of the cookies require popups or active consent buttons, then those are going to multiply too. I can't see any way around this, unless the law is going to have the side-effect of forcing hosted services to have much more restrictive agreements with their platforms :(
And just to add a little more complexity, the Dutch Parliament is reported to be developing a cookie law that goes further than the EC Directive, requiring a website to be able to prove that each visitor gave their consent. That looks like a pain for Dutch websites (not to mention a privacy threat to their visitors if the sites are going to have to retain lists of who visited!), but it's suggested the law may even require non-Dutch websites to comply when they deal with Dutch citizens. And how do I remember which law to apply to you? Store a cookie?
[UPDATE: Francis Davey, a real lawyer, has come to the same unpleasant conclusion about platform cookies :(]
