In May, the UK's Information Commissioner's Office (ICO) published its initial guidance on how cookies and similar technologies that store information on user's devices should be deployed (see my previous posts here, here and here). The European Union's Article 29 Working Party has now published its own views concerning obtaining consent.
If it is correctly used, consent is a tool giving the data subject control over the processing of his data. If incorrectly used, the data subject's control becomes illusory and consent constitutes an inappropriate basis for processing.
The working party's Opinion 15/2011 (WP 187) suggests that prior consent will always be required and this may mean that the ICO will need to update its own current guidance and enforcement guidelines.
Although the working party's opinion is quite a long document, if you are considering how to build consent for cookies, etc into your future web product development plans (e.g. web sites, mobile apps, social networking activities, e-commerce and f-commerce), it is worth the read.
They emphasize the need to obtain unambiguous explicit consent before any personal data processing can occur, and to be able to subsequently prove this was given. This does not affect mechanisms "strictly necessary" for the provision of the service as discussed before about session cookies. The examples included in the text add some realism to the intent of the opinion, and it is likely the recommendations will form part of future updates to EU legislation.
And remember not to lose sight of the other data protection principles. Obtaining consent does not negate the controller's obligations for fairness, necessity, proportionality, security and data quality.
Posted on: 27 July 2011 at 08:36 hrs