On Friday—only 2 days before the deadline—the Information Commissioner’s Office (ICO) decided to change their guidelines on the EU Cookie Law.
This change doesn’t really affect the way in which website owners now have to inform users of their cookie use, however it does change, quite dramatically, how the user gives consent to the use of these cookies.
The updates to the IOC’s guidelines are as follows;
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
- If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
This is quite a major shift, especially given that it was only amended one day before the May 26 deadline. However, given that an estimated 95% of sites are yet to implement anything towards complying with the law, it could hardly be considered too late. But what does the change really mean for website owners and developers? Well it shifts the onus of action to the end user in the majority of cases. As website owners we no longer have to disable cookies by default and only activate them upon user consent. We simply have to alert the user to the fact that we are using cookies and for what purpose.
We still need to give the user the ability to disable cookies, however it isn’t entirely clear if this could simply be giving them instructions to do so using browser settings. Using browser settings to disable cookies significantly reduces the amount of work required by website owners, who would otherwise need to invest in some development time to implement a cookie management system. As mentioned before though, it isn’t entirely clear whether instructions to disable cookies in the browser is adequate, in which case it may be safer to handle cookie use on a per site basis using on-site functionality.
Whilst we are on the subject of unclear areas of the guidance, no one is entirely sure whether the updates by the IOC may actually now break the EU Cookie Law in themselves. We may find in the future that the IOC have to revert their guidelines under pressure from European Courts. I for one certainly hope that this doesn’t happen as the updated guidance certainly is a step towards a more sensible approach to compliance. The ideal solution is better cookie management baked directly into the browser software (pun entirely intended), therefore taking the burden of responsibility away from website owners. This method will also be better for controlling and restricting the sites that this law was created to target, the ones that use covert tracking systems, who will more than likely ignore it anyway.
Here’s a video from the ICO that further explains their stance.
Photo credit: Flickr user midiman