Full Disclosure

Joel Harrison ukcrypto at chiark.greenend.org.uk
Mon, 28 Apr 2008 16:06:20 +0100 

On 4/28/08, Charles Lindsey <chl@clerew.man.ac.uk> wrote:
> On Sun, 27 Apr 2008 22:29:31 +0100, Joel Harrison
> <joeldharrison@googlemail.com> wrote:
>
>
> > Consider PECR reg. 6.  In your example, in order for the web server's
> > retrieval of the webwise cookie to be lawful, the web server would
> > have to provide "clear and comprehensive information about the
> > purposes of the ... access to ... [the webwise cookie]".  So, the web
> > server would need to state clearly in its privacy policy that one of
> > the purposes for which it accesses cookies is to retrieve data placed
> > there by ISPs participating in the Phorm system.  You may think that
> > the chances of anyone owning up to this sort of practice are small.
> >
>
> Eh? Web servers don't "retrieve" cookies". They are sent automatically by
> browsers, and it would require a specific action by the website to detect
> and ignore those cookies which could be identified as "webwise".

I realise that.  By "retrieve", I mean "retrieve the value of" - what
I'm getting at is the action taken by the web server to determine and
process the value of the webwise cookie in its domain.  Whilst the
webwise cookie is sent to the web server automatically, I understood
that it would require a deliberate step in the website code to
determine the value of the webwise cookie and then do something with
it - without that step, the webwise cookie would be sent to the web
server but no action would be taken on it.

> In any case, this particular web server is in Peru, and what does it now or
> care about PECR?

I'm afraid Peruvian privacy law is outside my remit.  However, if the
web server is located anywhere in the EU then it has to deal with
2002/58/EC, and various other countries now have laws that regulate
the use of cookies - so this isn't a UK-specific issue.

You might also be interested to know that in its recent opinion on
search engines, the Article 29 Working Party expressed the view that
merely reading or writing cookies from/to the web browser of a user
located in the EU was sufficient to bring an undertaking's processing
of personal data within the scope of the Data Privacy Directive.  So
your Peruvian web site would be subject to EU privacy law if it was
accessed by users from within the EU.  Of course, there are legal and
practical issues to do with enforcement, but this doesn't seem like
the place to go into them in detail.

Joel