Blog

We have now passed the deadline of May 26th 2012 for websites to comply with the new EU Cookie Laws and it is thought that many sites are still in some ways breaching the law. However, there have also been some interesting updates from the Information Commissioner’s Office, in charge of the law in the UK, giving us more information on how the law might work in practice.

Notably, there has been an update to the policy guidance from the ICO. The new guidance says that websites are now able to assume ‘implied consent’ from web users. This means that there is not necessarily any need for websites to display options for users to choose from, as we discussed in our post last week, but rather they can assume that if a user continues to make use of a website, they are happy for cookies to be used.

However, this does not mean that websites do not need to comply with other aspects of the new Cookie Law and so it still pays for organisations affected to read through the policy guidelines from the ICO to find out their obligations. For example, they might have to carry out an audit of the cookies they are currently using on their websites and perhaps update their own site information to make it clear to users the cookies that are in operation on the website.

Also, the updated ICO guidelines say that: “While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.” This suggests that the implied consent principle is only applicable in some situations; if a website cookie is collecting sensitive personal data on a web user, it is likely that they will still need to obtain specific consent from them as we have discussed in previous blog posts.

Another key point from the updated guidelines is that the concept of implied consent cannot be used as a “euphemism for ‘doing nothing’.” Action still needs to be taken so that consent can be inferred from the web user. For example, you may have seen some websites with messages at the top of the page stating that they use cookies and that by using the site, web users consent to those cookies being used. In short, this means that no matter how a site goes about implementing the cookie policy, at least some action will need to be taken so that web users are aware of the cookies being used.

It is important to remember that the ICO has the power to levy fines on websites that do not comply with the Cookie Law, so even though the concept of implied consent might take some of the heat off web operators, this is not the only aspect of the law. A recent study from KPMG found that 95% of firms still hadn’t implemented the new law. However in practice, the ICO has said fines are unlikely to be levied. This is because sites are unlikely to cause a serious data protection breach. Non-compliant sites may still be expected to show the progress they have made towards implementation, though.

One slight worry with the implied consent concept is that it has been suggested this could lead to the UK battling its interpretation of the Cookie Law in European Courts. However, others have noted that many other European countries have yet to take the law seriously and that it could make the UK less attractive in terms of business. Also, some non-EU businesses could in theory get around the Cookie Law in a way that EU businesses cannot, which, it is suggested, could put European online retailers and other businesses at something of a disadvantage.

Either way, the Cookie Law is now in force in the UK and so it makes sense for businesses to do what they can to comply with the laws. The implied consent component has been described as being more business-friendly and it will hopefully make it easier for many sites – particularly those that don’t collect sensitive user data – to comply with the law.

You can download the updated ICO guidance on the Cookie Law with the addition of implied consent here.

By Chelsey Evans

Follow @AmpheonLtd