System stores personal information (within the meaning of the DPA)
The legal claim that the data stored are not personal is based on the hypothesis that the Data Controller will *never* be able to identify anybody from the cookie. This hypothesis is simply false.
Most people's computers can be compromised. Most obviously people can access their own cookies and send their details to anybody they feel like. So if Phorm or the ISP offer money or some other inducement to break the "anonymisation", the mapping from cookie to person is trivially determined by the Data Controller.
Remember, under the DPA, the Data Controller must be *unable* to get (or infer) the association of any cookie with a person (or street address etc), now or in the future (even with some effort or "black hat"/"rubber hose"/"black sack" techniques) . Simply being able to buy these mappings from the people in the future makes the data personal data now.
What's worse is that anybody at the same address could break the anonymity too. Imagine a dorm room or frat house with many people, it just takes one of these people to publish or send the DC the cookie -> person mappings, and the "anonymity" is breached.
And that's not to mention breaking the anonymity through spyware, or through theft (or sale or other disposal) of the hardware itself. Or for mobile computer users, the cookie could be read out while the user wasn't looking (in the bathroom?).
So the anonymity claim is demonstrably false and the data are personal data for the ISP and (probably) for Phorm too. Hence the full force of the DPA regulations applies.
It's pretty clear that the personal data are being processed without the informed consent of the user, so the "opt out" approach is a non-starter under the DPA.
And the E&Y consultants report seems to be applying US laws and US standards in the analysis. In the UK, the definitions and laws are very different. Why hasn't Phorm published consultants' reports for each jurisdiction they intend to do this? If they plan to start in the UK, we should have a report that covers the technology in relation to our laws.
Sorry guys. Come back when you have read the DPA (and RIPA).