Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
The Information Commissioners Office (ICO), the UK regulators, provide further explanation as:
- You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.
- There is an exception for cookies that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking).
- The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.
What counts as consent?
Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.
Who enforces the Cookie Law?
Does Geographical location make a difference?
The proposed regulation will apply to European businesses that process personal data, and businesses outside the EU that monitor EU citizens or process personal data obtained from offering goods or services to EU citizens.This effectively means any business that has European customers will need to comply with the new requirements under the proposed regulation.
What action can the EU take?
Currently, each country regulaor can impose fines on companies who breach local laws. Proposed changes to the EU Directive, whcih are exepcted to come into force towards the end of 2015 or early 2016, will see a significant in fines that can be imposed on companies that do not comply with the proposed regulation of upto 2% of annual worldwide turnover, with the possibility for individuals and associations acting in the public interest to bring claims for non-compliance. These fines will make data protection a boardroom issue and will require companies to carefully review what they need to do to comply.
Becoming complaint is not a difficult task, especially if you engage with us. Cookie Reports is the audit and assessment technology company. Our SaaS solutions provide any organisation with the means to help ensure you are legally compliant with current and future cookie legislation. Our trusted service helps you easily catalog, maintain and understand the cookies stored on your website to better save time, reduce cost and help you ensure compliance for proper cookie management and notification. e. Cookie Reports provides you with a manner to uniquely meet regulatory obligations whilst minimising repetitional risk, combating data leakage, and improving site performance. Most importantly you can establish visitor trust with your customers through a trusted, compliant site for your cookie management.