"Cookie" is used here and in the ICO's guidance as a shorthand for any technique used to send some item of data to and later retrieve it from a user's equipment. The directive covers much more than basic HTTP cookies.
The requirements of the regulations are twofold:
There are two exceptions to the regulations:
The ICO offers some "practical advice for those wishing to comply" (though there's nothing similar for those who would like to avoid compliance!):
The University has now issued some advice.
Yes. We have no choice. The regulations require it, and there are penalties for not complying.
We should assume that all of them are. We can't just apply the "intranet" exemption. We have to work on the basis that outside users can and will access them. (From a FoI perspective, we should be assuming that everything is freely available in general.)
Yes. Everything which is published from a University-provided network connection has to comply, as do sites owned by University groups but hosted on external providers.
The ICO's guidance makes the distinction "essential, rather than reaonably necessary". If your use is strictly "essential" then prior consent may not be required. However, you should still notify your users that cookies are being used.
These are covered by the "or similar technologies" aspect of the regulations, so the requirements are the same. They do at least have the advantage of being obvious to the user.
Since the whole point of cosign is to authenticate by use of cryptographically-hard-to-forge cookies, their use is certainly essential. However, we should still make this clear on the login page.
This use is explicitly addressed in the ICO's guidance. Prior consent is required.
The University's advice pages are here.
The ICO's guidance offers a number of suggestions. Their own site currently has a header bar with a notice and a tick-box.
Not yet, according to the ICO's guidance. "For now, you will need to work on implementing another solution."
It's here. See also the March 2012 ITC paper on cookies and the implications of the amended regulations.
Cookies.html,v 1.44 2012/06/07 14:41:42 gdmr Exp
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh