Analytic Cookies: last minute change

With enforcement of the UK’s new law on internet cookies due to begin this week, on Friday the Information Commissioner published a new version of his guidance on compliance. Although the Information Commissioner says the new version is a clarification, others have described it as a “striking shift”.

The most significant change appears to be the explicit statement on pages 9&10 of something that was hinted in the previous version – that “implied consent”, rather than “explicit consent”, may be acceptable for cookies used to analyse visits to websites. To clarify this, the section on “implied consent” has been extended. To give explicit consent a visitor must actually sign/say/click “I consent”. For implied consent:

there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.

So, using examples from the previous version of the guide (now on pages 21&22), if a website has a checkbox for “remember my settings (uses a cookie)” or a link to “shopping basket (uses cookies)”, then a user who selects that option will also give implied consent to the storage of the cookie. The new guidance makes clear that for this implied consent to be valid, the site must be sure that the visitor did understand the consequences, and that it can’t rely on the visitor having read a particular section of the privacy policy.

For analytic cookies the same applies: if the site wishes to rely on implicit, rather than explicit, consent it must give sufficient notice and explanation to achieve a “common understanding” between the visitor and the site as to what the cookie will be used for. And “it must always be possible for the user to decline to accept cookies”, either at browser or site-specific level. The guidance does continue to distinguish between analytic and advertising cookies, so I suspect the extension of implicit consent doesn’t apply to the latter.

The guidance doesn’t seem to have changed its position on whether sites can imply consent from the fact that a visitor hasn’t set their browser to exclude cookies (Not yet: “At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie”), nor whether visitors can be assumed to know about cookies and recognise when they are likely to be used (Not yet: “current levels of awareness of the way cookies are used and the options available to manage them is limited”). So if a site wants to rely on implied consent, it needs to provide both descriptions of its cookies and notice when the visitor approaches an area or function of the site where they are used.

While the new guidance will be welcomed by those still struggling to comply with the law (and those fearing a blizzard of pop-ups), it’s unfortunate that it couldn’t have been issued earlier. For the past two years the ICO has been trying to persuade websites to solve hard technical and user interface problems in order to comply with the law. This last minute change to what “compliance” means seems likely to make that argument even harder next time.