Update: This content is under review following ICO guidance released Dec 13th
Update: On 25th May 2011 the UK government announced that websites would be given a year to comply with the EU's Privacy and Communications Directive. See the ICO's news release relating to 12 months grace on EU cookies law.
There is currently a great deal of uncertainty regarding the impact of the EU amendment to the privacy directive which relates to when a site can or cannot store cookies. The full report is here and the Information Commissioner's Office's advice is here.
The following summarises the situation
The amended directive will now state that national governments must "ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information."
Cookies without user consent would only be allowed when they are "strictly necessary" to provide a service "explicitly requested" by the user such as storing shopping cart information on e-commerce sites, for example.
Paragraph 66 states: "the user's consent to processing may be expressed by using the appropriate settings of a browser or other application."
Related article from ClickZ (18/03/2011)
We strongly recommend that clients seek legal advice regarding the revised directive.
The following is GOSS' take on the directive
GOSS iCM and GOSS iCM managed websites (templates) only use cookies to store user session data. They use standard frameworks for the storing of session data and it is these frameworks that store a cookie containing a unique ID for that visitor (no sensitive data is stored in the cookie itself). It is up to the frameworks themselves as to whether they store a cookie and this will only happen when some information is stored in the session data. To some degree this means a solution needs to be found by Microsoft (ASP.NET), providers of Servlet containers (Java) or providers of ColdFusion (Railo, Adobe).
On that subject of storing session data - it could be argued that iCM and iCM managed websites fall into the "strictly necessary" category. The session information is used to store a number of interactions such as completing forms, logging into the website (remembering who the logged in user is), completing polls, remembering positions of parts on the homepage, etc. As such the cookie information is necessary and is providing a service that is requested by the visitor.
There are additional areas that cause concern. For example Google Analytics is widely used on client sites and this stores its own cookie that is outside of GOSS' control. Strictly speaking sites should gain permission before a visitor hits their site to store a cookie for the purposes of analytics. The same applies for any advertising services such as Google Ads. It's also worth noting that content may trigger cookies to be stored and would be outside of GOSS' control. For example "Script Inlines" will have this capability.
There is an established protocol from the W3C Platform for Privacy Preferences (P3P) Project. The following is an extract from the project homepage.
What is P3P?
"The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit."
Essentially publishing a P3P policy allows the users browser to understand your sites cookie usage before it processes any content, and as such, can process cookies inline with the preferences configured in that browser. Instructions for creating and deploying a P3P file and the appropriate headers are provided at W3C Platform for Privacy Preferences (P3P) Project website.
Although the use of the P3P initiative will potentially satisfy the requirements, unfortunately at present it's still not clear what measures sites will have to take to meet the directive. As such GOSS recommend clients seek legal advice and until such time as legal precedent is established, endeavour to create and publish a P3P policy, if there is not one already in place. In the meantime at least make their site visitors aware of the use of cookies with an easily accessed prominent article (e.g. in the top/bottom utilities navigation) which details the sites use of cookies (as per the previous paragraphs).
