ARTICLE
6 June 2012

How The Cookie Crumbles: ICO Issues Last-Minute Amended Cookie Law Guidance

CC
CMS Cameron McKenna Nabarro Olswang

Contributor

CMS is a Future Facing firm with 79 offices in over 40 countries and more than 5,000 lawyers globally. Combining local market insight with a global perspective, CMS provides business-focused advice to help clients navigate change confidently. The firm's expertise and innovative approach anticipate challenges and develop solutions. CMS is committed to diversity, inclusivity, and corporate social responsibility, fostering a supportive culture. The firm addresses key client concerns like efficiency and regulatory challenges through services like Law-Now, offering real-time eAlerts, mobile access, an extensive legal archive, specialist zones, and global events.

The grace period that the Information Commissioner’s Office (the data protection regulator – the ‘ICO’) offered for compliance with the revised cookie law came to an end on Saturday, meaning that it’s now ‘business as usual’ for the ICO when it comes to enforcement against organisations which do not obtain consent for cookie use.
United Kingdom Privacy

The grace period that the Information Commissioner's Office (the data protection regulator – the 'ICO') offered for compliance with the revised cookie law came to an end on Saturday, meaning that it's now 'business as usual' for the ICO when it comes to enforcement against organisations which do not obtain consent for cookie use.  To assist organisations to comply with this law, the ICO published updated guidance the day before - on Friday 25 May.

The key message of this new guidance is that implied consent through non-explicit means can be valid consent.  The ICO has recognised that obtaining active consent is not always the most appropriate method for organisations: "While explicit consent might allow for regulatory certainty [...] this does not mean that implied consent cannot be compliant."  This is in contrast to the previous ICO guidance which stated: "At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent".  The new ICO guidance also seems to be at odds with the Article 29 Working Party's review of the e-Privacy Directive. The Article 29 Working Party, a body comprised of representatives from each EU member state's data protection authority, stated in its Opinion 2/2010 that "only in very specific, individual cases, could implied consent be argued."

The ICO's amended guidance goes on to state that where organisations are collecting sensitive personal data (such as health information) however, explicit consent may be more appropriate.  It also emphasises organisations' responsibilities regarding third-party cookies on their websites.

The ICO provides a warning to organisations that implied consent does not mean they can sit back and do nothing, assuming that users' use of a website is enough to indicate consent.  The ICO defines implied consent as: "some action taken by the consenting individual from which their consent can be inferred [e.g.] visiting a website, moving from one page to another or clicking on a particular button". Dave Evans, group manager at the ICO, wrote in the  ICO blog that in order to rely on implied consent, organisations need to be satisfied that their users "understand that their actions will result in cookies being set" and that without this, there is no informed consent.  Organisations are also advised not to rely on the fact that users might have read a privacy policy which is "perhaps hard to find and difficult to understand".

The ICO has uploaded to youtube a video answering FAQs on the revised cookie law.  This reminds organisations that: conducting a cookie audit is key; any information provided about cookies should be prominent, user-friendly and meaningful to users; and while monetary penalties can never be ruled out, the ICO is more likely to assist organisations with becoming compliant than to fine them.

While the ICO has said that "it is difficult to imagine that non-compliance with the cookies rule is ever going to trigger a situation in which [the ICO] would be able to issue a monetary penalty", it is taking compliance with the law seriously and will be considering ensuring compliance through formal undertakings and enforcement notices.  The ICO will be tracking compliance through a newly introduced reporting tool on its website, through which it is encouraging members of the public to report their specific cookie concerns with particular websites/sectors/cookie use.

If you require further information on how to go about ensuring you are compliant, please contact us.

The ICO's revised guidance on complying with the law can be found here.

For further background information, please see our previous Law Now on this subject: Take on the Cookie Monster.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 29/05/2012.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More