User Consent Required for Cookies

A user's consent is required before it is lawful to store and access information on their computer. Such consent must be preceded by the user having been provided with clear and comprehensive information about the purposes of the proposed processing. A mechanism where users are provided with the opportunity to object is not the same as consent. This was the view expressed by The Article 29 Data Protection Working Party in a letter dated 3 August 2011 identifying concerns with regard to the new self-regulatory code on online behavioural advertising. The opinion further claimed that browser settings will not be sufficient to meet the cookie consent requirements until they automatically reject third-party cookies as default and allow users to take "affirmative action to accept cookies from specific websites for a specific purpose". Although enabling people to object to being tracked for the purposes of serving behavioural advertising was a welcome advance and constitutes an improvement it does not meet the requirement to obtain "informed consent" as set out in the EU Directive (Directive 2009/136/EC Article 5(3)). It could lead to the situation where the consent of many internet users is wrongly assumed. The new requirement for consent affects all website publishers including FE and HE institutions. Once appropriate technical solutions have been developed the Information Commissioner is likely to produce further guidance on best practice in this area. See the JISC Legal background information on what the new Cookie legislation requires FE and HE institutions to do at - http://www.jisclegal.ac.uk/cookies.
Further details in The Article 29 Working Party letter online at - http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2011/20110803_letter_to_oba_annexes.pdf and on the OUT-LAW website at - http://www.out-law.com/page-12191

Posted on 01/09/2011