The grace period that the Information Commissioner's Office
(the data protection regulator – the 'ICO')
offered for compliance with the revised cookie law came to an end
on Saturday, meaning that it's now 'business as usual'
for the ICO when it comes to enforcement against organisations
which do not obtain consent for cookie use. To assist
organisations to comply with this law, the ICO published updated
guidance the day before - on Friday 25 May.
The key message of this new guidance is that implied consent
through non-explicit means can be valid consent. The ICO has
recognised that obtaining active consent is not always the most
appropriate method for organisations: "While explicit
consent might allow for regulatory certainty [...] this does not
mean that implied consent cannot be compliant."
This is in contrast to the previous ICO guidance which stated:
"At present evidence demonstrates that general awareness
of the functions and uses of cookies is simply not high enough for
websites to look to rely entirely in the first instance on implied
consent". The new ICO guidance also seems to be at
odds with the Article 29 Working Party's review of the
e-Privacy Directive. The Article 29 Working Party, a body comprised
of representatives from each EU member state's data protection
authority, stated in its Opinion 2/2010 that "only in very
specific, individual cases, could implied consent be
argued."
The ICO's amended guidance goes on to state that where
organisations are collecting sensitive personal data (such as
health information) however, explicit consent may be more
appropriate. It also emphasises organisations'
responsibilities regarding third-party cookies on their
websites.
The ICO provides a warning to organisations that implied consent
does not mean they can sit back and do nothing, assuming that
users' use of a website is enough to indicate consent.
The ICO defines implied consent as: "some action taken by
the consenting individual from which their consent can be inferred
[e.g.] visiting a website, moving from one page to another or
clicking on a particular button". Dave Evans, group
manager at the ICO, wrote in the
ICO blog that in order to rely on implied
consent, organisations need to be satisfied that their users
"understand that their actions will result in cookies
being set" and that without this, there is no informed
consent. Organisations are also advised not to rely on the
fact that users might have read a privacy policy which is
"perhaps hard to find and difficult to
understand".
The ICO has uploaded to youtube a video answering FAQs on the
revised cookie law. This reminds organisations that:
conducting a cookie audit is key; any information provided about
cookies should be prominent, user-friendly and meaningful to users;
and while monetary penalties can never be ruled out, the ICO is
more likely to assist organisations with becoming compliant than to
fine them.
While the ICO has said that "it is difficult to imagine
that non-compliance with the cookies rule is ever going to trigger
a situation in which [the ICO] would be able to issue a monetary
penalty", it is taking compliance with the law seriously
and will be considering ensuring compliance through formal
undertakings and enforcement notices. The ICO will be
tracking compliance through a newly introduced reporting tool on
its website, through which it is encouraging members of the public
to report their specific cookie concerns with particular
websites/sectors/cookie use.
If you require further information on how to go about ensuring you
are compliant, please contact us.
The ICO's revised guidance on complying with the law can be
found here.
For further background information, please see our previous Law Now
on this subject:
Take on the Cookie Monster.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 29/05/2012.