Summary and implications
If it does, given that the EU’s Article 29 Working Party, which includes the Information Commissioner, has taken the view that browser settings cannot be a means to collect specific, informed consent from website users, we are left with doubt on how ICO will approach this.
- BIS is expected to publish the response to the implementation consultation within the next month. This should give an indication as to whether the uncertainty will continue until we have ICO guidance.
- If the copy-and-paste approach is used by government for the final implementing legislation, businesses will hope for pragmatic ICO guidance. While the government has hinted at this, ICO is autonomous and given the Article 29 Working Party view this cannot be guaranteed.
- EU and overseas businesses operating EU-accessible websites using cookies should watch developments carefully, and should consult their web developers to consider contingency plans for website pop-ups and landing pages to obtain consent if pragmatic guidance is not issued.
Many view the UK’s implementation proposal as a missed opportunity to remove the lingering concerns that businesses may have that the revised legislation could still require them to change their websites to use new “landing pages” or pop-ups to ask for specific consent before placing cookies on users' machines.
This may seem strange given the acknowledgement of the importance of cookies to the usability and ongoing operation of many websites in both the consultation document and the impact assessment document published alongside it. However, any implementation which deviated significantly from the European text to address this issue could have opened the government up to challenge from any individuals and organisations who felt that the directive had not been implemented correctly – with damages as a potential remedy.
A hope for pragmatic guidance?
The wording of the consultation document refers to the words “strictly necessary… to provide the service” shortly after mentioning the level of dependency of many websites on cookies.
Given this statement comes just after two sentences discussing how integral cookies are to providing website services, it seems to indicate that BIS is hoping for ICO to issue pragmatic guidance on how the phrase “strictly necessary” is to be interpreted. For more information
This approach might provide ICO with a way to sidestep the Article 29 Working Party view on obtaining user “consent” to place cookies, but it may still be unwilling to stretch the interpretation of “strictly necessary” too far.
The consultation is now closed, but the BIS consultation documents are available here The consultation is called “Implementing the revised EU Electronic Communications Framework – Overall approach and consultation on specific issues”.
Those using cookies (particularly tracking cookies) should probably still be concerned, as if ICO issues less pragmatic guidance there is now far less time for businesses to implement changes to websites.