ICO on new Cookie Law: 'Don't expect torrent of enforcement action' Amid criticism that hardly any UK government websites comply with the new EU-mandated "Cookie Law" that comes into force on 27 May, the ICO has announced that it will be sending out some letters, and then waiting for people to complain. The ICO will send out 50 letters to the UK's biggest websites over the next few days, its …
I'm waiting to see what the BBC does, then our largest competitor.
Only then will I decide what to do.
The way I see it, if you ask people if they don't want cookies tracked, you're going to have to set a cookie to set that preferencee, otherwise you'll keep asking them the same question. (yes I know you could pass it through URL params, but really???)
Nah, you put a cookie on to say they are willing to be tracked. If the cookie is not there, you ask. That way people get so fed up being questioned they say yes just to shut you up.
Meanwhile I think I'll go check a few guv'mnt websites and complain if they are non-compliant. After all, they should set an example and as far as I can see are the only ones that we can guarantee can be taken to court.
Another non-clarifying bit of BS from the ICO.
So what now, do we all start reporting every site that does not comply to the ICO and drown them in a bath they filled with their own shit?
Reminds me of Red Dwarf - maybe Rimmer is working at the ICO - "The time for talking is over. Now call it extreme if you like, but I propose we hit it hard, and we hit it fast, with a major, and I mean major, leaflet campaign."
@FatsBrannigan: "Why not complain to the ICO"
You seriously naively believe anything you say to the useless ICO will be listened to?! ... How stupid are you!?! ... The ICO have consistently done fuck all about their endless toothless gross incompetence going back for years, not least of which, their whole appalling apathetic handling of the whole Phorm spying saga. They don't want to listen to people.
Just spent a day working on a briefing for clients (though none of them have asked about cookies yet). It's a bit difficult to advise them when the ICO 'clarification' is as clear as mud. None of our clients use 'bad' advertising cookies ... just stats and 'share' cookies ... so it's a complete waste of our time and money, and their's too.
So, I think I'm just going to have some fun ... with a new (annonymous) hotmail account, I'll complain about all our competitors and all the companies with lousy customer service ... especially all the government departments and local authorities ... oh, and quangos too.
This morning analytics cookies were getting a free pass but this afternoon you must ask "users' consent for any cookies the websites are using to track their behaviour". I do think the later is correct but would be nice if I could trust what they're saying.
Either way sounds like all we have to do is show we've thought about the issue and done a cookie audit to escape prosecution. With my webmaster hat on that's great but with my user's hat on that's complete nonsense from a toothless body that should be closed.
We're based in the UK but all our websites are hosted on servers based in the US. Mainly for cost reasons. Much cheaper to buy things in USD than GBP or EUR - our dedicated servers and AWS bills are testament to that. As it goes about 50% of our customers are in North America as well.
Would this only apply to websites hosted within the EU?
Or does it also apply if you host your website abroad but are an EU-based company?
What if you host your website everywhere, i.e.: cloud, and it could be served from many different zones for any particular request?
I'm not sure they've thought this through.
«The Cookie Law officially came into force last year as part of the EU Privacy Act, but the UK allowed a year-long grace period during which the law was not actually enforced in order for businesses to work towards complying with it. ... We don't expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.»
Let me see if I understand - UK websites have had one year since this law officially came into effect to prepare themselves, but still this particular law, which is designed to protect users' privacy, will not be enforced. Dare one draw conclusions about the degree of concern for ordinary peoples' privacy - as opposed to, say, the «rights» of copyright holders - which moves Mr Cameron's government to this unusual laxity ? News of the World, redux - or are all laws in the UK «enforced» in this manner ?...
Myself, I use the DoNotTrackPlus add-on (www.abine.com) on Firefox and Chrome in order to stop tracking cookies - how well I succeed is another matter....
Henri
The Information Commissioner is legally obligated to 'promote' good practice among data controllers: 'It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers'.
How does sitting back and waiting for complaints achieve this obligation?
All data protection legislation falls under the umbrella of the DPA as a data controller has a legal obligation to process personal data in accordance with the eight data principles. Thus, the failure by a data controller to comply with UK or EU regulations will ultimately have an impact on the DPA.
For example, the failure by a data controller to obtain consent prior to sending out electronic marketing - which is required by the PECR2003, which are in turn based on an EU Directive, is also one of the requirements of schedule 2 of the DPA.
What is the exact wording of the Google and Facebook exemption?
I ask this because our main concern is use of Google Analytics. If there is an exemption for cookies from Google, then Analytics is in the clear, given that our website does not host the code for analytics, Google hosts it from their servers and so it is a Google signed cookie, hence qualifies for the google exemption?
I don't think its an actual "exemption", merely a statement that because Google isn't an EU company it doesn't have to comply with the legislation.
But if *you* are a EU company, then you do -- and surely nobody with a grain of common sense would agree that asking a third party to perform something on your behalf exempts you from your legal obligations. "It wasn't me that run you over on the pedestrian crossing, it was my car" isn't going to be accepted by any court. Similarly, if the code that *calls* some third party code (whether google or otherwise) is on your site, you *ought* to be accepting legal responsibility for what it does and making sure that what it does is legal. Which, quite possibly, means not using it if you cannot be certain.
Equally, I'd disagree that google is not subject to EU jurisdiction. The EU certainly seems to think it is. So why the ICO should think otherwise only goes to question the competence of the ICO.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
