At the very end of last week (on Friday, in fact), the ICO issued its third guidance note (May 2012), which outlines the changes to the cookies law and explains the steps that need to be taken to ensure compliance. The ICO has also posted a short video on its website to respond to some of the frequently asked questions related to the new cookie rules.
Implied Consent Acceptable. For the first time – and contrary to previous advice suggested by the ICO– the ICO made it clear that reliance on implied consent would be an acceptable form of consent. There are limitations, however.
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
- If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
We’ve answered some of your FAQs in a video, summarising how you can comply and the approach the ICO is taking to enforcement. (NB: playing YouTube videos sets a cookie – more information.)
The Big Question: Enforcement? The ICO further acknowledged that compliance with the new cookie rules is not straightforward and that the regulator will not require full compliance starting now. The ICO will expect companies to have taken steps to comply with the rules – for example, conducting a cookie audit, making notices about cookies more prominent, and considering the best methods for obtaining consent – and have a realistic plan in place for complying with the rules by a date certain. According to the ICO, using the monetary penalties built into the law as an enforcement option has not been ruled out, but formal “undertakings” and enforcement notices are likely to be more useful in achieving compliance. That being said, the ICO says it has written to more than 50 organizations to ask about their cookie compliance program.
A cookie reporting tool has been published on the ICO’s website and the regulator encourages the public to report any concerns they have with cookie practices of specific websites.