14 DAY TRIAL // As the deadline for implementing the amendments to the EU Privacy and Electronic Communications Directive (PECD) draws near, the UK Information Commissioner's Office has issued guidelines on how to comply with the new cookie requirements.
The controversial amendments state that website owners have to ask for consent from users before storing cookies on their computers.
The new regulation applies to all cookie-like storage technologies such as the Flash Locally Shared Objects (LSO), as well as Silverlight or HTML 5 local storage.
The only exception is when the cookie is "strictly necessary" for the service requested by the user to function. For example, remembering items in a virtual shopping basket would apply, but storing user preferences would not.
There is still a lot of confusion among businesses as to how exactly they should comply with these requirements which will come into effect starting May 26. The ICO has published a document [pdf] offering some advice, but it's still far from clear and specific.
The Information Commissioner's Office will be tasked with ensuring that companies comply with the new legislation, but enforcement will be delayed to allow everyone to modify their websites and systems.
The government considers that the best solution would be to determine if the user has given consent through the browser's settings, and officials are working with the major browser makers to make this possible.
Until then, companies will have to rely on Web pop-ups and similar techniques to obtain consent. Another option is to rely on terms and conditions, however, simply making changes to these will not be enough. Users will need to be informed about the modifications and prompted to accept them again.
The document published by ICO also describes some other scenarios and possible solutions, but notes that the biggest challenge is complying with cookies set by third-party content providers.
This is actually the biggest privacy risk to users and one of the reasons the directive was introduced in the first place. It applies to advertising networks, streaming services and other companies that might track users to build behavioral profiles.
"This may be the most challenging area in which to achieve compliance with the new rules and we are working with industry and other European data protection authorities to assist in addressing complexities and finding the right answers," the ICO writes.