[ Sponsored Links ]

Advertise here »

RE: Cookies go live today

reply to message » post a new message » e-mail to a friend »
Subject:  RE: Cookies go live today
Author:   Alex Chudnovsky:   view profile | all posts by this author | add to favourites
Date:   10:51:04 16 December 2003
 
On 14:46:47 15 December 2003 GrahamRoss wrote:

Graham,

The argument is based on "The Privacy and
Electronic Communications (EC Directive) Regulations 2003"
URL: http://www.hmso.gov.uk/si/si2003/20032426.htm

My argument below is as follows:

1. I will show that 6(4) does not apply in a
number of cases which would mean that 6(1) must be complied with for these cases (quiet typical too)

2. I will agree about issue of "storage" - this
was however not essential for my argument

3. I will demonstrate that the issue of
gaining "access" is still present _IF_ "delete client side cookies" proposal is offered as the _ONLY_ means of compliance with
Regulations 6.

--------------
Point 1
--------------

" 6. - (1) Subject to paragraph (4), a person
shall not use an electronic communications network to
store information, or to gain access to information
stored, in the terminal equipment of a subscriber or user
unless the requirements of paragraph (2) are met.

Sorry would not agree that it will be valid for
all cases, here is full text of 6 (4):

" (4) Paragraph (1) shall not apply to the
technical storage of, or access to, information -
(a) for the sole purpose of carrying out or
facilitating the transmission of a communication over an
electronic communications network;
or
(b) where such storage or access is strictly
necessary for the provision of an information society service requested by the subscriber or user."

6(4) won't apply in many cases such as (for
example) a cookie containing email marketing campaign id which is neither necessary nor required to facilitate the transmission as defined above.

Since 6(4) won't apply in this and other similar
cases I conclude that 6(1) and (2) must still be complied with in at least a number of pretty common cases (such as email tracking).

How typical are my cases? I'd say pretty common.
Cookies are easier to program than doing full database solution and because of that a lot of people rely on them for things that are not "strictly necessary" - almost all email marketing, banner advertising etc.

--------------
Point 2
--------------

> So the requirements of paragraph 2 relate only
> to storage in the terminal equipment of the subscriber or
> user ie client ternminal.

"Oh yeah, I agree with that." (c) Soldier #2 from
Monty Python's "Holy Grail"
URL: http://www.geocities.com/pectacon/MPHG.html

Apart from minor bit that I am argueing
about 6(1) which defines what is NOT allowed
(storing and/or accessing) to do unless 6(2) is complied with.

" 6. - (1) Subject to paragraph (4), a person
shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless
the requirements of paragraph (2) are met."

This is not my main argument however as issue
of storage arised from me using word "storing"
data on server side with main issue being discussed
below.

--------------
Point 3
--------------

My main argument however was and still is that
the "access" requirement ie 6 (2)(b) is broken in not so hypothetical case where cookie's value was logged
on server side for later access by a person (analyst like me) _IF_ user was told to "delete cookies on client side" as means
of compliance with 6(2)(b) which I quote:

In fact suggestion to delete cookies on client
side is not material in my view to compliance or non-compliance of these regulations as by itself the
deletion on client side:
a) does not make the site compliant due to broken
Reg 6(1) due to broken 6(2)(b)
b) is not necessary to suggest but might be a
good idea - "best practice" as
Ashley said but not in my view sufficient to
comply with law

------------------------------
CONCLUSION
------------------------------

It appears to be that suggesting the user
to "delete cookies" on client side as the only
means if compliance with Regulations 6 is not
right thing to do because it will violate 6(2)
of said regulations in at least a few very
realistic cases (I think many cases).

Of course everything above is IANAL and IMHO :)

regards,

Alex
 
« Back to Internet Marketing Forum Previous Thread »  |  Next Thread »
  • Cookies, C.H, 30 Jul 15:39
    Do I understand correctly, that there will be some new guidelines on Cookies published soon? How they can be used etc etc? Where could I go to find out more information about th ...
    • Cookies, Gary Baker, 5 Aug 12:44
      New regulations (The Directive on Privacy and Electronic Communications aka Privacy Regulations) regarding email marketing and cookies are to come into effect on 31 October this ye ...
      • Cookies, JamesDownes, 12 Aug 16:23
        You may find this useful, http://www.aboutcookies.org. It was set up by a law firm who have probably read (and understood) the directive. I think the idea is that you can direct ...
        • Cookies, Russell , 11 Dec 11:43
          The directive goes live today. Can anyone confirm that a link to your privacy policy on all pages of your site, brief details of your use of cookies, plus a link to the aboutcoo ...
          • RE: Cookies go live today, Ashley , 11 Dec 16:10
            Hi Russell I believe 'best practice' (aka how little you can do to stay the right side of the law) also dictates that you give instructions in your privacy policy to users on ho ...
            • RE: Cookies go live today, Russell , 11 Dec 17:33
              Thanks Ashley. I've added the following text & link to the end of the "information about cookies & what we use them for" area on our site: "How to delete and control cookies ...
            • RE: Cookies go live today, Alex Chudnovsky, 12 Dec 17:09
              On 16:10:06 11 December 2003 Ashley wrote: >give instructions in your privacy policy to users on how >they can delete the cookies you may have set. This is a >workaround for ...
              • RE: Cookies go live today, GrahamRoss, 15 Dec 10:30
                On 17:09:06 12 December 2003 Alex Chudnovsky wrote: >IANAL (I Am Not A Lawyer - but I wish I was!) telling use >how to delete cookies should not be sufficient because >most lik ...
                • RE: Cookies go live today, Alex Chudnovsky, 15 Dec 12:30
                  Great post Graham. I was merely trying to say that telling user how to delete cookies is (in my view) not sufficient to satisfy Regulation 6 (b) of The Privacy and Electronic Commu ...
                  • RE: Cookies go live today, GrahamRoss, 15 Dec 14:46
                    Alex- I see what you are getting at, 6(2)(b) to which you refer, and which says :- "2) The requirements are that the subscriber or user of that terminal equipment - ......... ...
                    • RE: Cookies go live today, Alex Chudnovsky, 16 Dec 10:51
                      On 14:46:47 15 December 2003 GrahamRoss wrote: Graham, The argument is based on "The Privacy and Electronic Communications (EC Directive) Regulations 2003" URL: http://www ...
                      • RE: Cookies go live today, GrahamRoss, 16 Dec 12:36
                        Alex - I'm afraid you are getting this all wrong. > 1. I will show that 6(4) does not apply in a >number of cases which would mean that 6(1) must be >complied with for thes ...
                        • RE: Cookies go live today, Alex Chudnovsky, 16 Dec 12:53
                          >Alex - I'm afraid you are getting this all wrong. Possible. >Of course. But you are overlooking the fact that >Regulation 6 does not apply AT ALL to server side data >ret ...
                          • RE: Cookies go live today, Russell , 16 Dec 16:14
                            Alex, I would argue that once a cookie's value is logged to the server, it ceases to be "cookie data" & becomes "just data". In your example, it is therefore a data protection i ...
                          • RE: Cookies go live today - response to Russel, Alex Chudnovsky, 16 Dec 17:30
                            >I would argue that once a cookie's value is logged to the >server, it ceases to be "cookie data" & >becomes "just data". In your example, it is >therefore a data protection iss ...
                            • RE: Cookies go live today - response to Russel, GrahamRoss, 17 Dec 15:05
                              >Suggestion to delete cookies on client side is not >sufficient to satisfy 6(b) simply because it may be logged >on server side - confidentiality of data may be breached against ...
                              • RE: Cookies go live today - response to Russel, Alex Chudnovsky, 17 Dec 15:18
                                Graham, >Can we drop this now and agree to disagree, unless anyone >else wishes to chip in. Yes I can agree on that. I hope future application of these regulations will prov ...
« Back to Internet Marketing Forum Post a new message »
Subscribe for only €299