law that applies to ‘cookies’ is changing with effect from 26 May 2011. Within a year from that date, not only must the user be given clear and comprehensive information about the purposes of cookies and use of the data they collect; but cookies can also only be placed on the user’s device after the user has given his or her consent. There is an exception where such storage or access is strictly necessary for the provision of a service that has been requested by the user (as well as where the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network). The UK Information Commissioner has issued guidance on how to comply.
How best to obtain consent?
This is likely to vary according to the type of cookie being set and the use to which the information is put. Cookies may be either "Session” cookies, which are temporary and deleted as soon as the user closes his or her browser; or "Persistent” cookies, which are stored on the user’s device hard drive until they expire or are removed. Where a persistent cookie is set, the consent only needs to be obtained prior to it being set the first time.
Of course, users can configure their browser to warn them whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance. Or they can choose not to visit a website or use a service whose cookies they don’t want to receive. However, the Information Commissioner has found that most browser settings are not sophisticated enough to allow the service provider to assume the user has given his or her consent to allow your website to set a cookie. So, the Commissioner has advised that consent must be obtained in some other way.
Whichever way you decide to meet the challenge, you'll need a psychiatrist on standby for your digital design team ;-)
Image from Jefferson Park.