Linux Today: Linux News On Internet Time.

VNU Net: Cookies crumble under data protection legislation

Feb 28, 2000, 16:16 (3 Talkback[s])
(Other stories by Lisa Kelly)

By Lisa Kelly, VNU Net

Many UK ecommerce companies could soon be breaking the law by illegally using technology that tracks website users' personal data.

On 1 March the updated Data Protection Act 1998 comes into effect. This will enable individuals to take legal action against those who process data about them without their active consent.

The latest data protection legislation makes cookie technology - programmes downloaded from a website owner's computer to a user's computer, allowing users subsequent site accesses to be tracked - illegal unless it is transparent.

Dai Davis, head of the IT Group at law firm Nabarro Nathanson, said: "The Act will make this relatively little known but potentially extensive use of personal data through cookie technology illegal, unless it is made transparent to data subjects what information has been collected and how it is likely to be used."

Davis said the change in the laws will place European businesses at a competitive disadvantage to countries operating from outside Europe, which do not have to comply with the new legislation, such as the US where "data protection is anathema".

"This is another case of the European Commission shooting European companies in the foot and one which is potentially highly damaging," said Davis.

James Roper, chief executive of industry body the Interactive Media Retail Group, said the legislation will damage UK ecommerce.

"It will put us at a disadvantage to the US," he said. "The serious companies that we urgently need to engage in ecommerce cannot break the law, so they will try to do it properly at a great cost or management burden which could prevent them from making steps into ecommerce.

"Demanding transparent use of cookies is like forcing Ford to state how its carburettor works each time it sells a car. The customer does not need to know."

Transparent use of cookies, however, has its supporters. Helena Sims, the Data Protection Registrar's compliance manager, said the 1998 Act is no different to the 1984 Act in the respect that "individuals should know who is collecting information about them, for what purpose and any disclosures".

"There is a transitional provision in the 1998 Act for companies that have had a site using cookies to monitor use of the internet before 24 October 1998. They will have until 24 October 2001 to comply."

Keith Mitchell, chairman of Internet hub the London Internet Exchange, said: "Privacy protection in the US is inadequate. There has been abusive cookie use and transparent use of cookies will promote users confidence in ecommerce."

Related Stories: