The Information Commissioner’s Office (ICO) has updated its guidance on how to comply with the new UK Cookie Law (European Cookie Directive), which can into effect on Saturday 26th May. This update will increase the confusion of an already confusing law, by apparently supporting users’ implied consent to having their behaviour tracked by cookies.
The change to the guidance (updated PDF version here) gives more backing to implied consent, which means you do not need to get direct consent from users over installing cookies on machines. However, the wording of the guidance is still vague enough to leave many website owners and developers confused about how to comply with the law. Originally, the law required sites to get permissions from every user, allowing them to track user behaviour using “cookie” code on the user’s computer – the additional space given to “implied consent” suggests it may not be so clear cut any more.
So… Explicit or Implied?
The ICO said in its guidance that “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.” The ICO claimed it has always said gaining explicit consent was not the only way that companies could comply. The data protection watchdog said implied consent should not be seen as an easy way out or treated as a euphemism for “doing nothing”.
So what should companies be doing to fulfill these new requirements? Here are your options:
- Use “implied consent”, meaning that, provided you are “satisfied that your users understand that their actions will result in cookies being set”, you can assume they consent to their use
- Do you collect sensitive information? Then you may feel that explicit consent is more appropriat
- Remember, you can’t have a “Decline” button as having one would break the law – the system would need to install a non-essential cookie in order to remember the user’s choice so if they ‘decline’ then they will have to see the message on every page every time they visit your site – which may be enough to get consent.
CuCo are still looking into all the options for an elegant solution to this issue and will post what we find one.