The ICO offers more promotion of the implied consent method for cookie law compliance, as concerns over confusion mount
The Information Commissioner’s Office (ICO) has issued an update to its guidance on how to comply with the European Cookie Directive on user privacy, which became law in the UK on Saturday. The update will increase confusion, by apparently supporting users’ ‘implied consent’ to having their behaviour tracked by cookies.
The change to the guidance (updated PDF version here) gives more backing to implied consent, a method that lets website owners and designers off the hook, as they would not be required to get direct consent from users over installing cookies on machines.
However, the wording of the guidance is still vague enough to leave many website owners and developers confused about how to comply with the law. Originally, the law required sites to get permissions from every user, allowing them to track user behaviour using “cookie” code on the user’s computer – the additional space given to “implied consent” suggests it may not be so clear cut any more.
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred,” the updated cookies guidance read. “This might, for example, be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”
Too much guesswork?
Rob Rachwald, director of security strategy at Imperva, bemoaned the lack of clarity in the EU law. “In the past, regulators have made regulations intentionally vague. The legislative thinking is that ambiguity forces the private sector to experiment with different approaches until somewhere, somehow someone finds the right way. The rest of the market soon follows the lead,” he said.
“Suggesting a precise approach – even one created by the private sector – removes a lot of guesswork and the time to compliance accelerates. For some time, we can expect to see a lot of confused consumers and companies”
Those companies who have already made changes to their sites to get them in compliance may be peeved about not getting more information on implied consent sooner from the ICO.
Others have complained that the law is an unnecessary burden on businesses, given that not many people appear bothered about cookies. Three quarters of online consumers have not heard of the new EU cookie directive, according to an eDigitalResearch and IMRG.
What does it mean?
Implied consent could also mean the UK is out of step with EU rules, meaning court squabbles might be on the horizon. But the ICO said in its guidance that “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.”
The ICO claimed it has always said gaining explicit consent was not the only way that companies could comply. The data protection watchdog said implied consent should not be seen as an easy way out or treated as a euphemism for “doing nothing”.
A blog from Dave Evans, group manager for business and industry at the ICO, attempted to explain what implied consent meant for website owners.
“In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.”
The ICO pointed TechWeekEurope to the Department for Business, Innovation and Skills’ website (see below) as an example of how to comply without having to gain explicit consent. The government department simply offers a link through to a page about its cookies and how users can remove them from their machines.
Are you a privacy pro? Try our quiz!