The Information Commissioner’s Office (ICO) has issued an update to its guidance on how to comply with the European Cookie Directive on user privacy, which became law in the UK on Saturday. The update will increase confusion, by apparently supporting users’ ‘implied consent’ to having their behaviour tracked by cookies.
The change to the guidance (updated PDF version here) gives more backing to implied consent, a method that lets website owners and designers off the hook, as they would not be required to get direct consent from users over installing cookies on machines.
However, the wording of the guidance is still vague enough to leave many website owners and developers confused about how to comply with the law. Originally, the law required sites to get permissions from every user, allowing them to track user behaviour using “cookie” code on the user’s computer – the additional space given to “implied consent” suggests it may not be so clear cut any more.
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred,” the updated cookies guidance read. “This might, for example, be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”
Rob Rachwald, director of security strategy at Imperva, bemoaned the lack of clarity in the EU law. “In the past, regulators have made regulations intentionally vague. The legislative thinking is that ambiguity forces the private sector to experiment with different approaches until somewhere, somehow someone finds the right way. The rest of the market soon follows the lead,” he said.
“Suggesting a precise approach – even one created by the private sector – removes a lot of guesswork and the time to compliance accelerates. For some time, we can expect to see a lot of confused consumers and companies”
Those companies who have already made changes to their sites to get them in compliance may be peeved about not getting more information on implied consent sooner from the ICO.
Others have complained that the law is an unnecessary burden on businesses, given that not many people appear bothered about cookies. Three quarters of online consumers have not heard of the new EU cookie directive, according to an eDigitalResearch and IMRG.
Implied consent could also mean the UK is out of step with EU rules, meaning court squabbles might be on the horizon. But the ICO said in its guidance that “while explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.”
The ICO claimed it has always said gaining explicit consent was not the only way that companies could comply. The data protection watchdog said implied consent should not be seen as an easy way out or treated as a euphemism for “doing nothing”.
A blog from Dave Evans, group manager for business and industry at the ICO, attempted to explain what implied consent meant for website owners.
“You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand,” Evans added.
“In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.”
The ICO pointed TechWeekEurope to the Department for Business, Innovation and Skills’ website (see below) as an example of how to comply without having to gain explicit consent. The government department simply offers a link through to a page about its cookies and how users can remove them from their machines.
Are you a privacy pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
We've spent hours on this topic at ExtraMile and finally have come to a conclusion. You can read what we think in our item here: http://www.extramilecommunications.com/blog/index.php?entry=entry120528-113816
We'd welcome your feedback.