A senior official at the Information Commissioner’s Office (ICO) has signalled that ‘implied consent’ is likely to satisfy the requirement to obtain users’ consent when using cookies, provided that users have been given clear and comprehensive information about the type of cookies being used.
The revised ePrivacy Directive – dubbed the ‘cookie law’ – requires those dropping cookies (or similar technology) to obtain users ‘informed consent’. Concerns have been expressed that ‘informed consent’ may mean ‘explicit consent’ (i.e. ticking a box) - at least in respect of cookies that have a bigger privacy impact, such as those used for online behavioural advertising.
However, at a recent industry event a senior ICO representative suggested that where a website contains a prominent notice (e.g. in a banner) stating that the site uses cookies and the purpose of such cookies, then the act of a user navigating to the next page will be sufficient to obtain consent.
Whilst such an approach may not strictly comply with the law, it seems that it will avoid official enforcement action.
Updated guidance from the ICO is expected before the end of May when the ICO is due to start enforcing the revised law. It is expected that the revised guidance will provide clarity around implied consent and the use of cookies for analytics (in relation to which the ICO has stated that it is unlikely to take action provided users have been given clear information) and the ICO’s regulatory priorities (i.e. where it is likely to take enforcement action).
For more information please contact Simon Morrissey, James Evans or your usual Lewis Silkin contact.