Cookie Law

The Privacy and Electronic Communications (EC Directive) Regulations was ammended on 25th May 2011 to include a change to Article 5(3) of the e-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment - in other words a requirement to obtain consent for cookies and similar technologies.

The Information Commission allowed a period of one year for websites to become compliant, so, from 25th May 2012 it will be illegal to place cookies onto a visitors computer without the informed consent of the user/visitor.

In his Guidance Notes the ICO highlighted various changes that he wished to see implemented and outlined some practices which were unacceptable.

1. Websites must seek prior informed consent before setting a cookie and that the facilities built in to the various internet browsers enabling the control of cookies was not sufficient.

2. The only cookies exempt from consent are those that are essential for the website to work correctly. These are restricted to shopping carts and other situations where information needs to be transferred from one page to another, again most commonly associated with online shopping.

3. Every website must have a Privacy Policy which, in addition to the basic requirements of the Freedom of Information Act and the Data Protection Act should include the details of all the cookies which may be set, how long they remained in situ and their purpose.

4. The Privacy Policy should not be positioned within menus or accessed by links in small print at the bottom of the page, but should hold a prominent position.

5. Users/Visitors should have the ability to change their mind and either give or withdraw their consent at a later date.

6. A relationship agreement must exist whereby website owners can be confident that information collected by third parties is not open to misuse. Google is the biggest player, the ICO guidance says: "If the information collected about website use is passed to a third party you should make this absolutely clear to the user.  You should review what this third party does with the information about your website visitors." Therefore it is clear consent must be achieved for a website to pass information to Google. The same applies to Facebook, Twitter, Linkedin etc.

 

Our Solution

1. You have already passed through our consent stage. If you clicked "OK" you will never be asked again. The analytical cookie has been set and statistical gathering has started. We could have implemented the solution adopted by http://www.ico.gov.uk/ and http://www.ja.net/ but banners that appear at the top of the page can be ignored which means statistics will not be or should not be gathered. We believe that we have provided all the information necessary for visitors/users to give informed consent.

2. Google is attempting to make a case that the Google Analytics Cookie should be exempt but guidance from the ICO states "If the information collected about website use is passed to a third party you should make this absolutely clear to the user.  You should review what this third party does with the information about your website visitors." Therefore it is clear consent must be achieved for a website to pass information to Google.

3. We have written a new Privacy Policy which will replace any that already exists on your website.

4. We do not believe that the location and positioning of our Privacy Policy can be criticised.

5. Visitors can change the settings of our cookies at any time from within the Privacy Policy

6. In Phase 1 of compliance we migrated our council clients away from Statcounter, a third party cookie, onto our own hosted solution "Piwik". Phase 2 is to implement the consent and new Privacy Policy