The ICO have now revised their guidance, specifically around the use of “implied consent”, whereby the onus is shifted back towards the website user to understand that cookies may be being used. Previously they stated that relying on implied consent was unlikely to comply with the rules, but in a blog post just one day before the new directive was to be enforced, the ICO changed their tune:
Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
To confuse things further, the ICO give a perplexing analogy involving a doctor and a patient:
…If a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions based on the fact that there is a shared understanding of what is happening.
So whilst a website owner may technically be able to infer consent from their users, exactly what can be interpreted as a shared understanding that their actions will result in cookies being set is still not adequately defined. To use the doctor and patient analogy, the doctor could reasonably assume a shared understanding when meeting a new patient on the basis that most previous patients haven’t objected to being examined, and have therefore understood that an examination was to be expected. Whilst the doctor/patient analogy is rather flawed, applying the same argument to cookies supports the status quo; are real-life web citizens actually concerned about cookies, or is this all a fuss about nothing?
On the basis of the new guidance, Priocept’s current recommendations to website owners are as follows:
- Clearly list all cookies used by your site, describing their individual purposes and how users can remove them (or configure their browsers to opt-out)
- Allow users to explicitly opt-in to cookies when associated with any kind of sensitive data or (PII)
- Be prepared for further changes as the official guidance is clarified and evolves