Head of Protection Products at Citi Bank UK Consumer (Egg.com)
30 July 2003 15:39pm
Do I understand correctly, that there will be some new guidelines on Cookies published soon? How they can be used etc etc?
Where could I go to find out more information about the subject.
05 August 2003 12:44pm
New regulations (The Directive on Privacy and Electronic Communications aka Privacy Regulations) regarding email marketing and cookies are to come into effect on 31 October this year, though the exact wording and format is still to be confirmed, as far as I am aware.
The latest from the DTI is at http://www.dti.gov.uk/industries/ecommunications/index.html
Website Maintenance & Support
On 15:39:00 30 July 2003 C.H wrote:
>Do I understand correctly, that there will be some new
>guidelines on Cookies published soon? How they can be used
>Where could I go to find out more information about the
Project Manager at Box UK
12 August 2003 16:23pm
You may find this useful, http://www.aboutcookies.org. It was set up by a law firm who have probably read (and understood) the directive.
Might be worth a look if like me you've been given the unenviable task of finding out what this Privacy Regulations stuff is all about.
Marketing Consultant at Email Marketing Solutions
11 December 2003 11:43am
The directive goes live today.
CEO at Econsultancy
11 December 2003 16:10pm
11 December 2003 17:33pm
I've added the following text & link to the end of the "information about cookies & what we use them for" area on our site:
"How to delete and control cookies: www.aboutcookies.org"
If there are any legal bods out there that *don't* think this is sufficient to meet the new legislation requirements, please post a reply. TIA.
Fndr at Majestic12.co.uk
12 December 2003 17:09pm
On 16:10:06 11 December 2003 Ashley wrote:
>they can delete the cookies you may have set. This is a
>workaround for them being able to 'reject' cookies.
IANAL (I Am Not A Lawyer - but I wish I was!) telling use how to delete cookies should not be sufficient because most likely these cookies were logged on Firm's server side and then replicated in great many places -- essentially this will mean you DID collect and likely WILL use this tracking information on user even though they did not want it and did indeed delete cookies following your instruction, but they deleted on CLIENT side.
The users may argue that they were misled by "do this to delete cookies" as it would not actually deleted cookies everywhere - particularly in firm's data warehouses.
MD at The ClaimRoom.com Ltd
15 December 2003 10:30am
On 17:09:06 12 December 2003 Alex Chudnovsky wrote:
>IANAL (I Am Not A Lawyer - but I wish I was!) telling use
>how to delete cookies should not be sufficient because
>most likely these cookies were logged on Firm's server
>side and then replicated in great many places --
>essentially this will mean you DID collect and likely WILL
>use this tracking information on user even though they did
>not want it and did indeed delete cookies following your
>instruction, but they deleted on CLIENT side.
IAAL - Apart from the point that, without the client side data storage, you are not talking 'cookies', the new Regulations (The Privacy and Electronic Communications (EC Directive) Regulations 2003 ) apply (Reg 6) only to the client side element of cookies. However,any data about a user retained at the server side (which is not strictly a cookie but just data storage) has to comply with the Data Protection Act anyway and so ,if it is such as can idenify a living person andnot just a terminal then cannot be retained any way without appropriate consent under DPA.
Important to also bear in mind that , even if you follow the Regs in giving proper notice and opportunity to remove, it would be a breach of the DPA to store cookies that contain more data than reasonably necessray for the purpose of the cookie,
Members of our service at www.TheAdviceRoom.com receive a free guide to the new regulations.
15 December 2003 12:30pm
Great post Graham. I was merely trying to say that telling user how to delete cookies is (in my view) not sufficient to satisfy Regulation 6 (b) of The Privacy and Electronic Communications (EC Directive) Regulations 2003.
The reason I think so is because deletion of cookies on client side (terminal equipment) is likely to take place after cookies were stored on server side for future potential accesses.
15 December 2003 14:46pm
Alex- I see what you are getting at, 6(2)(b) to which you refer, and which says :-
"2) The requirements are that the subscriber or user of that terminal equipment - .........
(b) is given the opportunity to refuse the storage of or access to that information."
You interpret that to cover refusal of storage generally and, therefore, that the user has to have the opportunity to refuse storage at server side. This is,however, wrong since 'storage' has to be interpreted subject to Reg6(1) which clearly limits use of the word 'storage' in the rest of Regulation 6 to client side storage only.It says:-
" 6. - (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
So the requirements of paragraph 2 relate only to storage in the terminal equipment of the subscriber or user ie client ternminal.
Free market research on digital marketing
Daily Pulse: award winning newsletter
It takes 30 seconds to register