New cookie law no longer an issue following an ICO backtrack?
Many people breathed a sigh of relief following the Guardian’s take on last week’s ‘watering down’ of EU regulations by the ICO which impact on the use of cookies by UK websites. Unfortunately, perhaps as a result of Chinese whispers, the growing consensus seems to be that the European rules don’t apply and sites no longer need to take action.
The previous version of the guidance, seemingly no longer available from the ICO following a quick search, provided, at page 6, that:
“general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent. As consumer awareness increases over the next few years it may well be easier for organisations to rely on that shared understanding to a greater degree”
The same paragraph suggested that the shared understanding necessary to rely on implied consent is more likely to be achieved ‘if websites make a real effort to ensure information about cookies is made clearly available to their users’. Notably, the guidance indicated that mentioning cookies in a privacy policy would not be sufficient.
What some people appear to have taken away from the revised note, which elaborates on the above, is that the ‘watered down’ guidance means no action is necessary, because implied consent is suddenly an option. However, implied consent (as opposed to requiring a visitor to subscribe, to check a box, or to click a button), was already envisaged by the ICO. In particular, page 16 of the previous guidance explained that, if a notice is displayed asking for permission and the user does not explicitly give it by clicking ‘accept’, instead navigating to another part of the website, then “you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site”.
While the revised guidance offers some further clarity on this point, and arguably relaxes the language somewhat such that implied consent seems a more viable option, it has not done away with the new requirements. Specifically, rather than simply allowing users to opt-out of the use of cookies, websites now need opt-in consent. To infer implied consent, you ought to be sure that visitors actually know you intend to use cookies, and why. The Guardian, the BBC, BT and a host of other sites have been updated to do this with notices of varying size and prominence which could serve as inspiration for your own site.
If you only mention cookies in your privacy policy, or you have a link to “cookies” in your footer, it is likely that you are not doing enough to educate visitors to an extent adequate to infer consent. That doesn’t mean you need to drop everything and get your web developers on the line right away. Although the grace period for non-enforcement by the ICO has ended it is perfectly clear the Commissioner does not intend to adopt a heavy handed approach. However, you should also not ignore the changes, and it is important to take note that, where the new guidance refers to implied consent, it also mentions more than once how “explicit consent might allow for regulatory certainty”. There are also international considerations to bear in mind, as mentioned in our earlier post.
What is important is to begin working towards compliance. If you are a small business with scarce resources, then rather than dragging your heels, why not take some time to identify straightforward steps you can action now. There are WordPress plugins, downloadable Javascripts and a range of other offerings that can help you to quickly demonstrate that you care about keeping your visitors in the loop, and complying with your legal obligations.