The Information Commissioner’s Office (ICO) has updated its guidance on how to comply with the new UK Cookie Law (European Cookie Directive), which can into effect on Saturday 26th May. This update will increase the confusion of an already confusing law, by apparently supporting users’ implied consent to having their behaviour tracked by cookies.

The change to the guidance (updated PDF version here) gives more backing to implied consent, which means you do not need to get direct consent from users over installing cookies on machines. However, the  wording of the guidance is still vague enough to leave many website owners and developers confused about how to comply with the law. Originally, the law required sites to get permissions from every user, allowing them to track user behaviour using “cookie” code on the user’s computer – the additional space given to “implied consent” suggests it may not be so clear cut any more.

Originally cookies were not to be set until the user said you could – ‘implied consent’ means you could now say “we use cookies… here is a link to our policy… if you click on anything on our site you consent to us using cookies”. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.” For example here is BT’s message which appears for a limited time in the bottom right corner of the browser window:

So… Explicit or Implied?

The ICO said in its guidance that “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.” The ICO claimed it has always said gaining explicit consent was not the only way that companies could comply. The data protection watchdog said implied consent should not be seen as an easy way out or treated as a euphemism for “doing nothing”.

So what should companies be doing to fulfill these new requirements? Here are your options:

  • Use “implied consent”, meaning that, provided you are “satisfied that your users understand that their actions will result in cookies being set”, you can assume they consent to their use
  • Do you collect sensitive information? Then you may feel that explicit consent is more appropriat
  • Review the cookies your site uses and kick out any that are redundant. Then highlight to customers that your site uses cookies and provide a means for them to read more about that and to consent to their use with a Cookies and Privacy Policy link at the top/bottom of each page
  • Remember, you can’t have a “Decline” button as having one would break the law – the system would need to install a non-essential cookie in order to remember the user’s choice so if they ‘decline’ then they will have to see the message on every page every time they visit your site – which may be enough to get consent.

CuCo are still looking into all the options for an elegant solution to this issue and will post what we find one.