Further thoughts on cookies (or lack thereof)

The amendments to The Privacy and Electronic Communications (EC Directive) Regulations 2003 as they affect the use of cookies have now been published in The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. What's surprising (to me) is how little has actually changed, though obviously a small change to legislation can clearly have a wide effect. What also fooled me is that if you don't read the ICO's guidance carefully (as I didn't) you might (as I did) think the change was bigger than it was. For example I thought paragraph (4) was new, and it isn't. In fact it hasn't changed at all.

One interpretation of all this is that many/most sites may already fail to comply with the 'old' regulations. Were you really giving subscribers "the opportunity to refuse the storage of or access to that information"? ... because if you were it should surely be trivial to turn the tests around and get consent instead. You could argue that all that's happened now is that, by requiring consent, the new regulations have made contraventions more obvious.

For your delight, here is paragraph 6 from the original  regulations with (if I've got it right) the new amendments applied to it (removals struck through, new text underlined):

Confidentiality of communications 

6.—(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. 

(2) The requirements are that the subscriber or user of that terminal equipment— 

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and 

(b) is given the opportunity to refuse the storage of or access to that information 

(b) has given his or her consent 

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. 

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. 

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information— 

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or 

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Not all that different, is it?