The Privacy and Electronic Communications (EC Directive) Regulations was ammended on 25th May 2011 to include a change to Article 5(3) of the e-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment - in other words a requirement to obtain consent for cookies and similar technologies.
The Information Commission allowed a period of one year for websites to become compliant, so, from 25th May 2012 it will be illegal to place cookies onto a visitors computer without the informed consent of the user/visitor.
In his Guidance Notes the ICO highlighted various changes that he wished to see implemented and outlined some practices which were unacceptable.
1. Websites must seek prior informed consent before setting a cookie and that the facilities built in to the various internet browsers enabling the control of cookies was not sufficient.
2. The only cookies exempt from consent are those that are essential for the website to work correctly. These are restricted to shopping carts and other situations where information needs to be transferred from one page to another, again most commonly associated with online shopping.
5. Users/Visitors should have the ability to change their mind and either give or withdraw their consent at a later date.
6. A relationship agreement must exist whereby website owners can be confident that information collected by third parties is not open to misuse. Google is the biggest player, the ICO guidance says: "If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors." Therefore it is clear consent must be achieved for a website to pass information to Google. The same applies to Facebook, Twitter, Linkedin etc.
1. You have already passed through our consent stage. If you clicked "OK" you will never be asked again. The analytical cookie has been set and statistical gathering has started. We could have implemented the solution adopted by http://www.ico.gov.uk/ and http://www.ja.net/ but banners that appear at the top of the page can be ignored which means statistics will not be or should not be gathered. We believe that we have provided all the information necessary for visitors/users to give informed consent.
2. Google is attempting to make a case that the Google Analytics Cookie should be exempt but guidance from the ICO states "If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors." Therefore it is clear consent must be achieved for a website to pass information to Google.