Hissingsid - 5:13 pm on Apr 6, 2012 (gmt 0)
The law says:
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment- Version 2 7
13 December 2011
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Since I have not stored or gained access to information stored by having Analytics code on my pages I don't see why I should have to comply with paragraph (2). The "person" who does this is Google Inc. Whether the EU has jurisdiction over Google Inc will come down to where the alleged offence took place. I would say that since the storage of and access to the information takes place in the users browser then where that user is in the EU the offence takes place in the EU.
The ICO disagrees. In their guidance document they say
The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.
The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.
There's a major problem in all of this. The law is about people gaining consent from people. How can it be proven who you obtained consent from. If upon consent being given you store a cookie on a user's browser noting that consent, how do you know who has given consent? or if a different user of that browser who has not given consent visits your site how can you know that they have not given consent? Can one person give consent on behalf of someone else?
The whole thing is a complete mess!