IP, Technology & Data

If you have been keeping an eye on the TechBlog cookies law page, you will no doubt be aware that the ‘grace period’ for compliance with the new cookies law ended on 26 May. The one year grace period was introduced to allow website operators time to make the necessary technical changes to their websites (or perhaps, more accurately, try to work out exactly what the regulator expected them to do).

Implied consent vs explicit consent
One of the big questions was around consent.

The new law requires users to give informed consent to allow the use of cookies and similar technologies to run and collect data during your visit to a particular website. But is it possible to give implied informed consent or must users go through a ‘tickbox’ exercise? It is pretty easy to ignore a banner at the top of your screen, oblivious to the measures that the website is taking to monitor and track your use of the site.

The Information Commissioner’s Office (ICO) – the regulator of data protection law in the UK – issued cookies guidance in November 2011, addressing the issue of implied consent. The overarching message from the ICO was that the public simply did not have the requisite ‘general understanding’ of cookies to be able to implicitly give informed consent.

Notwithstanding this message from the regulator, the International Chamber of Commerce’s subsequent guidance on the new law (endorsed by the ICO in a press release) advocated the use of implied consent, and several major retailers adopted implied consent as their chosen mechanism for dealing with the new law, leaving other organisations unsure of what was expected.

Formally, the ICO was saying the implied consent was not ok, yet informally (in media interviews and events) the message from the ICO appeared to be that implied consent was ok.

A revised approach
However, 48 hours before the 26 May implementation deadline, the ICO’s Group Manager for Business and Industry, Dave Evans, published a blog issuing new guidance. While the ICO did not make a complete U-turn on its position regarding implied consent, it is certainly less hard-line than its previous stance.

The ICO is still sitting on the fence as to exactly when implied consent will be appropriate, but the new guidance does give some possible scenarios where a tick-box (or other explicit consent mechanism) may not be required:

  • Where users of a site have a certain technical awareness and so have the requisite understanding of the how cookies are used to be able to give their implied consent
  • Where the cookie notice is displayed in such a way that users can’t avoid reading it, so users can be deemed to have given their consent by clicking past the cookie notice
  • Where consent can be implied from a series of actions that the user may take, such as, that, when taken together, are a ‘strong enough indication’ of the acceptance the use of cookies.

Needless to say this more business friendly approach to implied consent will come rather late in the day for those who have already implemented their cookies policy (unless they adopted implied consent in a manner consistent with the guidance, in which case it will provide comfort for the actions taken), but it may be of help to those who have missed the deadline and are still struggling to work out how best to comply with the new law.

Before adopting an implied consent approach, organisations whose websites are directed at non-UK EU users (as well as UK users) may wish to remember that the ICO’s revised guidance on implied consent is at odds with the views of the Article 29 Working Party, and guidance issued by a number of the ICO’s fellow privacy regulators. Accordingly, such an approach may not be acceptable to privacy regulators in those other member states.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me