Fndr at Majestic12.co.uk
16 December 2003 10:51am
On 14:46:47 15 December 2003 GrahamRoss wrote:
The argument is based on "The Privacy and
Electronic Communications (EC Directive) Regulations 2003"
My argument below is as follows:
1. I will show that 6(4) does not apply in a
number of cases which would mean that 6(1) must be complied with for these cases (quiet typical too)
2. I will agree about issue of "storage" - this
was however not essential for my argument
3. I will demonstrate that the issue of
gaining "access" is still present _IF_ "delete client side cookies" proposal is offered as the _ONLY_ means of compliance with
" 6. - (1) Subject to paragraph (4), a person
shall not use an electronic communications network to
store information, or to gain access to information
stored, in the terminal equipment of a subscriber or user
unless the requirements of paragraph (2) are met.
Sorry would not agree that it will be valid for
all cases, here is full text of 6 (4):
" (4) Paragraph (1) shall not apply to the
technical storage of, or access to, information -
(a) for the sole purpose of carrying out or
facilitating the transmission of a communication over an
electronic communications network;
(b) where such storage or access is strictly
necessary for the provision of an information society service requested by the subscriber or user."
6(4) won't apply in many cases such as (for
example) a cookie containing email marketing campaign id which is neither necessary nor required to facilitate the transmission as defined above.
Since 6(4) won't apply in this and other similar
cases I conclude that 6(1) and (2) must still be complied with in at least a number of pretty common cases (such as email tracking).
How typical are my cases? I'd say pretty common.
Cookies are easier to program than doing full database solution and because of that a lot of people rely on them for things that are not "strictly necessary" - almost all email marketing, banner advertising etc.
> So the requirements of paragraph 2 relate only
> to storage in the terminal equipment of the subscriber or
> user ie client ternminal.
"Oh yeah, I agree with that." (c) Soldier #2 from
Monty Python's "Holy Grail"
Apart from minor bit that I am argueing
about 6(1) which defines what is NOT allowed
(storing and/or accessing) to do unless 6(2) is complied with.
" 6. - (1) Subject to paragraph (4), a person
shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless
the requirements of paragraph (2) are met."
This is not my main argument however as issue
of storage arised from me using word "storing"
data on server side with main issue being discussed
My main argument however was and still is that
the "access" requirement ie 6 (2)(b) is broken in not so hypothetical case where cookie's value was logged
on server side for later access by a person (analyst like me) _IF_ user was told to "delete cookies on client side" as means
of compliance with 6(2)(b) which I quote:
In fact suggestion to delete cookies on client
side is not material in my view to compliance or non-compliance of these regulations as by itself the
deletion on client side:
a) does not make the site compliant due to broken
Reg 6(1) due to broken 6(2)(b)
b) is not necessary to suggest but might be a
good idea - "best practice" as
Ashley said but not in my view sufficient to
comply with law
It appears to be that suggesting the user
to "delete cookies" on client side as the only
means if compliance with Regulations 6 is not
right thing to do because it will violate 6(2)
of said regulations in at least a few very
realistic cases (I think many cases).
Of course everything above is IANAL and IMHO :)
MD at The ClaimRoom.com Ltd
16 December 2003 12:36pm
Alex - I'm afraid you are getting this all wrong.
> 1. I will show that 6(4) does not apply in a
>number of cases which would mean that 6(1) must be
>complied with for these cases (quiet typical too)
Of course. But you are overlooking the fact that Regulation 6 does not apply AT ALL to server side data retention. It only applies to information stored "in the terminal equipment of a subscriber or user".
So there can be no breach of these regs for storing data if:-
1. Its stored on the server or
2. Its information coming within the categories of exclusion in Reg 6(b) or
3. A warning and opportunity to remove is given.
All data stored at server end has however to comply with Date Protection Act (ie not excessive and nor without DP notice),
16 December 2003 12:53pm
>Alex - I'm afraid you are getting this all wrong.
>Of course. But you are overlooking the fact that
>Regulation 6 does not apply AT ALL to server side data
>retention. It only applies to information stored
>"in the terminal equipment of a subscriber or
But regulations apply to "ACCESS" to cookie data "stored" as you pointed out on client side - the access is possible as the data was logged on server side. I am talking about specifically cookie values being logged in many server side logs.
>So there can be no breach of these regs for storing data
>1. Its stored on the server or
>2. Its information coming within the categories of
>exclusion in Reg 6(b) or
>3. A warning and opportunity to remove is given.
Agreed about 3) - my original point refers to suggestion that warning to delete cookies AFTER some browsing took place that will cause cookie data to be "accessed" (by virtue of being logged on server side) will be in violation of regulation 6).
Here is the scenario:
1. I click on a link leading to site - this will set email marketing cookie.
3. I keep browsing the site - this will log all accesses
with the cookie value as set in 1)
4. I finished browsing and follow site's instructions to delete cookies on client side.
5. The cookie data on server side with cookie values is still in tact - this can be accessed at later date by analysts in violation of Regs 6.
IF there was a warning that this process will take place then Reg 6 should be fine in my opinion.
IF you only give instructions to remove cookies from client side then these cookie values will still be accessed as they are also stored on server side. If you like these "removal" instructions are not complete and misleading. What's worse is that people on server side will not even know if cookies were deleted by user or just expired - in either case an ACCESS to cookie data can still take place.
Bottom line is that in the above scenario the cookie data will be accessed against wishes of a user who will be under the impression that deletion of cookies on client side will be the end of the story - which it wont because that data will have already been "accessed" (assuming a person will look at that data of course).
Marketing Consultant at Email Marketing Solutions
16 December 2003 16:14pm
I would argue that once a cookie's value is logged to the server, it ceases to be "cookie data" & becomes "just data". In your example, it is therefore a data protection issue rather than a cookie issue.
Graham, many thanks for your help in clarifying some of the issues. It's appreciated.
16 December 2003 17:30pm
>I would argue that once a cookie's value is logged to the
>server, it ceases to be "cookie data" &
>becomes "just data". In your example, it is
>therefore a data protection issue rather than a cookie
Russel, I am afraid the legislation in question does not differentiate between different naming conventions such as "cookies". It addresses "information" usage - you may call it cookie, data, info etc - it does not change fact that by having this "information" logged on server side you can not claim to be compliant by giving people choice to delete cookie data on client side.
6(2) Clearly states:
"(2) The requirements are that the subscriber or user of that terminal equipment -
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information."
Suggestion to delete cookies on client side is not sufficient to satisfy 6(b) simply because it may be logged on server side - confidentiality of data may be breached against user wishes.
17 December 2003 15:05pm
>Suggestion to delete cookies on client side is not
>sufficient to satisfy 6(b) simply because it may be logged
>on server side - confidentiality of data may be breached against user
Alex - Forgive me but you are still missing the whole point. Whenever Regulation 6 refers to 'information' it only refers to information stored on the client side. Reference in 6(4)(b)to 'access to THAT information' is access to information on the client side. The fact that there is data stored on the server is irrelevant. This is just about cookies. Server stored infornation is covered by DPA only.
Can we drop this now and agree to disagree, unless anyone else wishes to chip in.
17 December 2003 15:18pm
>Can we drop this now and agree to disagree, unless anyone
>else wishes to chip in.
Yes I can agree on that. I hope future application of these regulations will provide some clarity.
cheers for taking time to respond to my comments
Free market research on digital marketing
Daily Pulse: award winning newsletter
It takes 30 seconds to register