EU group gives extra advice on cookies

Given the continuing uncertainty about the new EU cookie regulations, the European Commission's Article 29 Data Protection Working Party has published a new report detailing how cookies can be used legally. In particular, the working party explains various exceptions that allow cookies to be stored on a hard drive without the user's consent. As well as cookies that serve to assist user input, to control multimedia players or to provide settings such as language preferences, these exceptions can include cookies that are used for web site analytics.

However, the privacy advocates point out that in the latter case it is important that cookies aren't deployed by third parties and that they are used for purely statistical purposes. In addition, the working party said that visitors must be told how the cookies will be used and must be given the option to "opt-out" of any data collection. "Comprehensive anonymisation mechanisms" should be in place to ensure that other identifiable information, such as IP addresses, remains anonymous.

Social networking services are also allowed to deploy cookies without their users' consent if they want to monitor login and logout processes and have already informed their users of this in advance. The document states that this also applies to third-party cookies, for instance cookies that control "social plugins", as long as they comply with privacy regulations. However, these cookies must not track users' activities across multiple web pages or collect data from non-members, said the working party.

In December, the group provided online marketers with detailed information on the use of cookies. Since then, a law on the use of browser cookies has come into force in the UK and many UK sites are now presenting users with cookie opt-in messages; however, unclear guidelines – which changed the day before enforcement was due to begin – have led to a number of questions being raised concerning the cookie laws. The new European regulations are based on the EU's 2009 directive on data protection in electronic communications, and have been applicable since May 2011.

(Stefan Krempl / crve)