This morning the ICO has issued further updated advice and guidance on changes to the EU cookie law. This is the third version of the Guidance in a little over a year. The Guidance now confirms that an implied consent mechanic, rather than an explicit opt-in mechanic is a valid form of consent to comply with the new law. In particular, the ICO has confirmed that a user’s consent can be inferred from moving from one page to another on a website provided that the user has a reasonable understanding that by doing so, they are agreeing to cookies being set.
The new Guidance has also addressed the issue of “prior” consent. Whilst the ICO state that wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and indicate their consent, where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies.
The revised Guidance also contains useful information about the nature of the information that must be provided to users and the transparency of that information by reference to certain key factors, including the nature of the intended audience of the website.
Further key aspects of the guidance:
- The ICO suggest that including information about the use of cookies in a general privacy policy is not sufficiently prominent.
- As far as enforcement of the new rules is concerned, the ICO has confirmed that from 26 May 2012, it will consider complaints made by users about cookies.
- As of 26 May, organisations will need to be able to demonstrate that they have taken sensible, measured action to move to compliance and that if a website has not achieved full compliance by 26th May, the ICO will expect a specific and clear explanation of why it was not possible to comply in time.
- The ICO has also suggested that it is highly unlikely that priority for any formal action will be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, provided an organisation can demonstrate that it has done everything it can to clearly inform users about the cookies in question. As such, the ICO is unlikely to prioritise for enforcement first party cookies used for analytical purposes and cookies that support the accessibility of websites and services.
We will be producing a further detailed note of the Guidance in due course but in the meantime, the ICO Guidance can be found here.