ICO issues last-minute guidance on cookie law

The grace period that the Information Commissioner’s Office(the data protection regulator – the ‘ICO’) offered for compliance with therevised cookie law came to an end on Saturday, meaning that it’s now ‘businessas usual’ for the ICO when it comes to enforcement against organisations whichdo not obtain consent for cookie use. To assist organisations to comply withthis law, the ICO published updated guidance the day before - on Friday 25 May.

The key message of this new guidance is that implied consentthrough non-explicit means can be valid consent. The ICO has recognised thatobtaining active consent is not always the most appropriate method fororganisations: “While explicit consent might allow for regulatory certainty […]this does not mean that implied consent cannot be compliant.” This is incontrast to the previous ICO guidance which stated: “At present evidencedemonstrates that general awareness of the functions and uses of cookies issimply not high enough for websites to look to rely entirely in the firstinstance on implied consent".

The new ICO guidance also seems to be at odds with theArticle 29 Working Party’s review of the e-Privacy Directive. The Article 29Working Party, a body comprised of representatives from each EU member state’sdata protection authority, stated in its Opinion 2/2010 that “only in veryspecific, individual cases, could implied consent be argued.”

The ICO’s amended guidance goes on to state that whereorganisations are collecting sensitive personal data (such as healthinformation) however, explicit consent may be more appropriate. It alsoemphasises organisations' responsibilities regarding third-party cookies ontheir websites.

The ICO provides a warning to organisations that impliedconsent does not mean they can sit back and do nothing, assuming that users’use of a website is enough to indicate consent. The ICO defines implied consentas: “some action taken by the consenting individual from which their consentcan be inferred [e.g.] visiting a website, moving from one page to another orclicking on a particular button”.

Dave Evans, group manager at the ICO, wrote in the ICO blogthat in order to rely on implied consent, organisations need to be satisfiedthat their users “understand that their actions will result in cookies beingset” and that without this, there is no informed consent. Organisations arealso advised not to rely on the fact that users might have read a privacypolicy which is “perhaps hard to find and difficult to understand”.

The ICO has uploaded to youtube a video answering FAQs onthe revised cookie law. This reminds organisations that: conducting a cookieaudit is key; any information provided about cookies should be prominent,user-friendly and meaningful to users; and while monetary penalties can neverbe ruled out, the ICO is more likely to assist organisations with becomingcompliant than to fine them.

While the ICO has said that “it is difficult to imagine thatnon-compliance with the cookies rule is ever going to trigger a situation inwhich [the ICO] would be able to issue a monetary penalty”, it is takingcompliance with the law seriously and will be considering ensuring compliancethrough formal undertakings and enforcement notices. The ICO will be trackingcompliance through a newly introduced reporting tool on its website, throughwhich it is encouraging members of the public to report their specific cookieconcerns with particular websites/sectors/cookie use.

The ICO’s revised guidance on complying with the law can befound here.

This article first appeared in Law-Now, CMS CameronMcKenna's free online information service, and has been reproduced with theirpermission. For more information about Law-Now, click here.