Saturday, 14 May 2011

Cookies ... half-baked or crumbling?

The Information Commissioner's Office has been busy with not one but two brand new documents for us to look over.

The first is a Data Sharing Code of Practice.

Those of us who handle data related to web sites are most likely to be doing this on behalf of a client (which makes us data processors rather than data controllers) although for our internal business purposed we will probably have some data that needs to be carefully handled in a controlling capacity, even if it is only personnel records.

However, even as data processors we have responsibilities, and you should make sure that the person responsible for your data looks over this code of practice.

In some ways that's the easy one. The other is yet another piece of legislation about cookies.

Just when we thought we'd covered ourselves for using cookies by explaining opt-outs and making sure we really needed to use them, those nice people at the European Commission are tightening the rules and the ICO has provided some guidelines.

Whereas clause 6(2) used to say we needed to advise the user about how we used cookies and told them how to opt out, now the clause says we have to advise the user about how we use cookies and get their consent.

There are exceptions for repeated visits (It looks to me that you only need to ask the first time) and for'strictly necessary' for a service requested by the user, which the ICO suggest is things like shopping carts. A user can also set global consent levels in a browser to signify consent.

Now I know you can set such things in a browser at the moment (no cookies, cookies only from the web site I'm visiting, any cookie) but the web site can't interrogate this. I'm sure the major browser manufacturers will have this sorted in time (sarchasm alert). Would a consent in sign-up terms and conditions be enough? What do you do about systems which already have signed-up users?

Oh ... and we have until May 26th to sort this out.