For the past few months a continuous talking point in the web development arena has been the controversial new EU online privacy legislation affecting use of cookies. Priocept previously posted a summary of the changes and the advice from the ICO on how UK websites could best ensure compliance.
The ICO have now revised their guidance, specifically around the use of “implied consent”, whereby the onus is shifted back towards the website user to understand that cookies may be being used. Previously they stated that relying on implied consent was unlikely to comply with the rules, but in a blog post just one day before the new directive was to be enforced, the ICO changed their tune:
Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
If the previous iteration of the advice was contradictory and open to interpretation, the updated guidance is even more ambiguous. What if I rely on my users reading a privacy policy that is not difficult to find, or my interpretation of what is difficult to understand is different from yours? How can any of this guidance be quantified and enforced?
To confuse things further, the ICO give a perplexing analogy involving a doctor and a patient:
…If a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions based on the fact that there is a shared understanding of what is happening.
So whilst a website owner may technically be able to infer consent from their users, exactly what can be interpreted as a shared understanding that their actions will result in cookies being set is still not adequately defined. To use the doctor and patient analogy, the doctor could reasonably assume a shared understanding when meeting a new patient on the basis that most previous patients haven’t objected to being examined, and have therefore understood that an examination was to be expected. Whilst the doctor/patient analogy is rather flawed, applying the same argument to cookies supports the status quo; are real-life web citizens actually concerned about cookies, or is this all a fuss about nothing?
On the basis of the new guidance, Priocept’s current recommendations to website owners are as follows:
- Make sure that your Privacy Policy / policy on cookie usage is prominently accessible from all key pages
- Clearly list all cookies used by your site, describing their individual purposes and how users can remove them (or configure their browsers to opt-out)
- Allow users to explicitly opt-in to cookies when associated with any kind of sensitive data or personally identifiable information (PII)
- Be prepared for further changes as the official guidance is clarified and evolves