PECR 2003 Regulation 6 (4)(b)
Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a) for the SOLE PURPOSE of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b) where such storage or access is STRICTLY NECESSARY for the provision of an information society service requested by the subscriber or user.
This is going to present some interesting legal challenges as web teams tackle the requirement to gain consent or NOT.
JUDGE: Did you, or did you not, gain informed consent to access the information on the subscriber or user's equipment?
DEFENDANT: We did not your honour, it was just an ASP.NET SessionId which is only used for facilitating the transmission of a communication.
JUDGE: I see. And what (pray tell) is the purpose of the 'null cookie' I see you placed on the subscribers equipment without consent?
DEFENDANT: ah .. When you abandon a session your Honour, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance. At the same time, if the user opens another application within the same DNS domain, the user will not lose their session state after the Abandon method is called from one application. Sometimes, we may not want to reuse the session ID. When we do, and there are ramifications of not reusing the session ID, we use the following code to abandon a session and to clear the session ID cookie.
Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
JUDGE: I see. And the IP Address I see you obtaining. What (pray tell) is the purpose of that?
DEFENDANT: {sigh} TCP/IP ...
It's going to fun, isn't it!!
Particularly challenging is the re-use of information AFTER it has been used for a specific network purpose. IP Address is one of those 'REQUIRED' 'SHALL' parts of W3C Standards, so one assumes it is exempt from the consent requirement. But what if we then analyze the IP addresses visiting our website to gain insight into potential customers? What about the document.referrer 'value', should we use it?
It's what Google Analytics best, and it's what the ICO no longer has access to.
There has to be some middle ground, and we have to find it now!
French CNIL has just released cookie guidance and it says a very firm 'non' to browser based consent.
Link here http://tinyurl.com/6j7otnj
Posted by: Duncan | November 04, 2011 at 04:53 PM