What are cookies?
A cookie is a small file that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns.
The Information Commissioner’s Office puts them into three groups (there is some overlap between the groups):
“A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.
For more information see: http://www.allaboutcookies.org/
Session and persistent cookies
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies:
- Session cookies – allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies.
- Persistent cookies – are stored on a users’ device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising.
- First and third party cookies – Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user – the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.
Reference: Information Commissioner’s Office (see the link to ‘Download the ICO’s cookie guidance pdf).
Your implied consent
Collection of data by this website
This website collects and stores personal data when you complete our contact form, sign up for our newsletter or supply your email address.
Data you supply will be stored in a retrieval system but will never be sold or passed to third parties or used for marketing purposes but purely to maintain communication with the person who initiated the enquiry.
Business Plus is /is not registered with the Information Commissioner’s Office under the Data Protection Act and always endeavours to hold all data in accordance with Data Protection Act principles.
Links to external websites
This site contains links to many external websites and social media sites such as Facebook, Twitter, LinkedIn, Google owned products such as YouTube and Google+, and … anything else?
This site will never add links which are knowingly unsafe or malicious, however you should always check the cookies and privacy policies of external sites if you have any concerns. This site cannot be responsible for external content or sites. If you have any concerns there are some useful links at the bottom of this page which may help to answer your questions.
- Information Commissioner’s Office: Updated advice and guidance 25 May 2012
- Internet browser cookies —what they are and how to manage them (Direct.gov.uk)
- Google policies and principles. As well as Google branded products, Google also owns YouTube.
- http://www.aboutcookies.org. Includes information on how to remove cookies from your browser.
Your own browser(s). Browsers usually include information under the help section about allowing and blocking cookies and private or ‘incognito’ browsing.
Relevant page from Information Commissioner’s site
New EU cookie law (e-Privacy Directive)
We’ve answered some of your FAQs in a video, summarising how you can comply and the approach the ICO is taking to enforcement. (NB: playing YouTube videos sets a cookie – more information.)
Our latest guidance (May 2012) sets out the changes to the cookies law and explains the steps you need to take to ensure you comply. The updated guidance provides additional information around the issue of implied consent:
Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
Download the ICO cookies guidance (pdf) [You may well wish to read this .pdf too!]
Cookies and personal data
Regulation 6 covers the use of electronic communications networks to store information, eg using cookies, or gain access to information stored in the terminal equipment of a subscriber or user.
Although devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of personal data.
Where the use of a cookie type device does involve the processing of personal data, service providers will need to make sure they comply with the additional requirements of the Data Protection Act 1998 (the Act). This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is excessive. Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed anonymously. This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website.
Confidentiality of communications and spyware
It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.
Information to be provided
Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so. This is comparable with the transparency requirements of the first data protection principle.
The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this.
Responsibility for providing the information and obtaining consent
The Regulations do not define who should be responsible for providing the information and obtaining consent. Where a person operates an online service and any use of a cookie type device will be for their purposes only, it is clear that that person will be responsible for complying with this Regulation.
Exemptions from the right to refuse a cookie
The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:
for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.
In defining an ‘information society service’ the Electronic Commerce (EC Directive) Regulations 2002 refer to ‘any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’.
The term ‘strictly necessary’ means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the service provider might be subject to, for example, the security requirements of the seventh data protection principle.
Where the use of a cookie type device is deemed ‘important’ rather than ‘strictly necessary’, those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.
Wishes of subscribers and users
Regulation 6 states that consent for the cookie type device should be obtained from the subscriber or user but it does not specify whose wishes should take precedence if they are different. There may well be cases where a subscriber, for example, an employer, provides an employee with a terminal at work along with access to certain services to carry out a particular task, where to effectively complete the task depends on using a cookie type device. In these cases, it would not seem unreasonable for the employer’s wishes to take precedence. However, it also seems likely that there will be circumstances where a user’s wish should take precedence. To continue the above example, an employer’s wish to accept such a device should not take precedence where this will involve the unwarranted collection of personal data of that employee.
10 Downing Street site
Not compliant by the original criteria as they hide the Privacy and cookies link in the page footer! But if you do find it it’s very comprehensive … perhaps too comprehensive by most people’s standards and level of interest.