UPDATE 25 May 2011: The Information Commissioners Office have issued a new statement that effectively gives UK organisations a further 12 month to comply with the new regulations. This does not mean we can wait the 12 months out but that they have 12 months to find a more workable solutions and we can take time to consider how we meet the requirements.
This affects all EU based websites and organisations and so it is worth spending a few moments understanding what has changed and how it affects you.
In essence the law says we now need to ask the visitor’s “prior consent” before placing a cookie on their machine. The exception to this rule is where the cookie is “strictly necessary” for the service requested.
What is a cookie
Cookies are small data files that are placed on a website visitors’ machine to help deliver the sites functionality such as allowing access to member areas, operation of shopping baskets and to aid in site analytics.
If that has whet your appetite for more detail, please take a trip to Wikipedia - http://en.wikipedia.org/wiki/HTTP_cookie
You’ve guessed it - “prior consent” is ill-defined. The EU regulation states that this includes where a visitor “amends or sets controls on their browser”. In the UK the Information Commissioner had delayed guidance while they looked into making the browser provide more control over cookies. Unfortunately the Information Commissioner has then commented that in the UK interpretation, setting browser controls alone is not sufficient.
The resulting confusion will settle in the coming months.
There are only two exceptions to this on our systems. The first is the Google Analytics data in the session cookie which allows collection of anonymous data about use of the site. The second is an element in the session cookie we use for authorising access to the administration site - which technically could be classed as necessary for the audit trail and version control.
What do you need to do
We will keep an eye on the developing interpretation of the legislation in the UK and let you know whenever we learn of anything that changes our views. Please contact your own solicitor where you have sub-sites specifically provided for non-UK visitors, though the sites are served from UK based data centres. Local legislation in other EU countries may vary.