Cookies and more damned cookies!

This cookies saga just doesn't stop and I'm left wondering if many of the good legislators in Brussels are realising that some of their daft rules just don't work. Not!

The Data Protection Article 29 Working Party - not an official EU policy-making body but one that the Commission listens to as its remit is enshrined under law - has now published further guidance on the use of cookies on individual websites. The 'period of grace' for UK-based organisations to comply with the new EU Cookies Regulation ended last month.

Looking at the issue of informed consent, the new guidelines state:

"The analysis in the current opinion shows that some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include for example “user-input” cookies (used to keep track of the user’s input when filling online forms or as a shopping cart), also known as session-id cookies, multimedia player session cookies and user interface customization cookies (for example language preference cookies to remember the language selected by a user).

First party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses."

Come on! It's more probable than likely that most websites belonging to reputable organisations deploy cookies only to help with the customer's browsing experience when purchasing goods and services online. Using cookies for additional purposes without telling the user smacks of shady business methods which respectable companies don't touch. Despite the fact that it's now law anyway, it's really only right to tell website users the purposes for which you are collecting their personal data. It's all about trust and confidence!

So, I trust that any enforcement action taken comes as a result of good risk analysis on the sorts of organisations more likely to break the law!