Hoo-bloody-ray, I got an answer from the ICO.
I've added quote tags to clarify which parts are from my email and which parts are their reply. They could have formatted it or something, but I guess that was too complicated.
11 June 2012.
Dear Mr Spicer,
Thank you for your emailed correspondence to the Information Commissioner’s Office (ICO), dated 20 April 2012, regarding the new rules on cookies under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (PECR).
The new regulations are as follows:
“I'm a developer attached to a project that builds discussion forum
software, and I'm trying to get some guidance on whether the software we have is compliant with the cookie laws or not, since the guidance is very confusing.
I would note also that our package ('Wedge') is derived from an existing US-based development ('SMF') and shares much of the same code including the cookie management. I should also note that SMF's developers have absolutely no plans to add any facilities for managing cookie privacy, so that UK site owners which use SMF will be left non-compliant, and not through their own fault.
Currently, Wedge offers two cookies, one is a session cookie created
automatically for guests. The session cookie is not shared with any
third party. The cookie itself is simply a session ID, though the
session ID allows for counting how many non-registered users are
visiting, and also the last action carried out by that session can also
be logged, meaning that site administrators can identify what topics of discussion a given user is viewing.
When a user actually logs in, a second cookie is deployed. Due to a bug, the first cookie is not erased, though it is not used when this second cookie is. The second cookie is more persistent, however the user is asked how long the session should persist for. This particular cookie carries two items of information, namely the user id of the logged in user, and their session ID. (The user id is carried through primarily for performance, though either way, that session ID is tied to a user account.) It is also possible for administrators to view the actions being carried out by logged in users.”
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.”
The more persistent a cookie is, the clearer the information needs to be in order to obtain valid consent. More persistent cookies are likely to be more intrusive, and therefore the level of consent needs to be greater.
When using terms and conditions to obtain consent, those terms and conditions must be actively accepted (as opposed to terms and conditions which are simply available on a website for viewing). Where someone has to actively accept terms and conditions (for example, ticking a box as part of a login or registration process) then that can indicate consent.
“Now, there is a note in the standard registration agreement text, which reads: "Also note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer."
I recognise that this is not sufficient for compliance and that
something more obvious will be required.
We are aware that there are a number of issues with this type of software.
“Anyway, this at least is the current position, and I would note that
pretty much all of the discussion forum platforms offer a similar
collection of features, and to the best of my knowledge, none of them are compliant at this time, and I do not believe there are plans to address that, meaning that site owners are likely to place themselves at risk by using any of these software packages.”
Accordingly, we would at the very least expect that the requirement of Regulation 6(2)(a) is met (that is, the provision of clear and comprehensive information about the purposes of the storage of, or access to, information stored on or accessed from the equipment of the subscriber or user).
I can confirm that, if implemented appropriately, the above appears likely to be a valid method of obtaining consent.
“My understanding of the cookie laws is that the registered-user cookie would be acceptable, by expressly asking for consent during registration so that on creating the user account, it would be clear that consent had been given.”
The new rules apply to UK established organisations operating websites using cookies irrespective of whether site users are based in the UK. For example, an organisation established in the UK with an online presence entirely focussed on countries outside the EU would still be required to comply with the new rules on cookies.
“With respect to the session cookie, I am not clear as to whether this is acceptable or not. We will work on the issue where the session cookie is not removed as promptly as it should be, but given that its primary use within the system is to identify the number of active users who are not currently signed in (and potentially the action they are carrying out), it seems to me that we should ask for consent and not issue if it not given. I do note that the software will be used by people not based in the EU as well as people based there (the core development team consists of one person in the UK and one in France)”
We would recommend consulting page 6 of the following guidance in respect of the timing of consent:
Download the ICO's cookies guidance (pdf)
The above scenario raises wider privacy concerns not specifically addressed under the new rules on cookies, but by the Data Protection Act 1998 (DPA98).
“I am concerned, also, with respect to the logging of actions. The
tracking is not entirely real time, but 'most' page views (certain
internal actions are excluded, and there is a threshold whereby making page views in that time will not be logged, typically views less than 8 seconds apart) are logged, and it is tied to the session ID (regardless of being signed in or not). My concern is that currently we are not advising users that this is being done, and that unlike general access logs, it is tied to a user, and could readily be argued to be personally identifiable. I would note that this can be disabled by the site operator, though it is enabled by default.
On a related note, that same session log is also able to identify
whether a given user is signed in or not and that information is often made available to all users (visually), even though every user has the option to 'hide' the fact that they are online from the general population, site operators will be able to see that fact regardless.”
The DPA98 is specifically concerned with the processing of personal data. “Processing” includes obtaining, holding, recording, disclosing or using personal data in any way. Personal data is data which relates to and identifies a living individual. The DPA98 imposes eight Principles of “good information handling” on organisations responsible for processing personal data (“data controllers”).
The First Principle states that personal data must be processed fairly and lawfully. The First Principle goes on to state that personal data cannot be processed fairly unless the data controller ensures, as far as possible, that the individual has, is provided with, or has made readily available, the following information:
The identity of the data controller;
The purpose, or purposes, for which personal data will be processed;
Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair.
The above information is generally provided to individuals in the form of a “fair processing notice” or “privacy notice” when their personal data is first collected.
For further information, please use the following link:
Privacy Notices Code of Practice
I trust this response has been helpful. If you require any further assistance, please contact me at: Casework@ico.gsi.gov.uk. In the subject field of your email please include the following text (including the square brackets) [Ref. XXXXXXXXXX], replacing the ‘X’ characters with your case reference number, including its three character prefix. This will add your email to the other information you have already sent to us about your case, and should occur automatically if you click the ‘reply’ button.
Well, that's maddeningly unhelpful, because they're not covering as to whether our cookies are or are not intrusive. They're all first-party cookies, however, so that's something to be thankful for!
1. We can't realistically mandate users accepting cookies before entering the site (because it excludes search engines entirely), so we will need to investigate the ECL type mod that Emanuele and feline worked on, simply because it's something we will need to look at doing.
2. Accepting cookies via registration allows for the extended cookie, however we should probably be explaining to users a bit more.
4. The person writing the reply doesn't really understand what I'm talking about anyway.
I still think dropping sessions for guests would save a lot of hassle all around, even though it makes who's online only useful for registered members and up.