The ICO’s update on cookies compliance progress was released today. The ICO has also published updated guidance for UK web owners setting out specific examples of what compliance looks like. Read the press release, including a link to the full 27 page guidance document.
A few key points from our initial review of the new guidance:
- The ICO are already saying “come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.” (my italics)
- Unsurprisingly, they will be focussing their regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals
- There is also the suggestion that the problem of protecting consumer privacy online is not just the responsibility of the website owner. Public understanding of cookies is low – and general consumer education is required to allow people to control their privacy online
The document also provides some more practical guidance how website owners can actually gain consent. But having said that, the ICO themselves are still using the same widely-criticised method they implemented in May this year.
Enhanced browser options will increasingly allow websites to rely on browser settings to help to satisfy themselves they have consent to set cookies, and many are still hoping that future browser technology will help resolve the issue. However, as the ICO says “At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie.”
From a legal perspective, Peter Church, at the TMT department of Linklaters commented:
“The new guidance is broadly the same as the guidance issued earlier this year. However, there are some differences. The points I found particularly interesting are a hardening of the ICO’s interpretation of the law, for example, consent should normally be obtained before setting a cookie and it will be difficult to get implied consent (as no one knows what a cookie is).”
“However, this is balanced by a softening in the way the ICO is likely to enforce the law. For example, there is a suggestion you can place a banner ad giving users the choice of whether to accept cookies (as per the ICO website) but if the user ignores the banner and clicks through to another part of the site, that constitutes consent. This is an interesting new compliance option. Similarly, there is a clear steer that the ICO will not take action over non-invasive cookies: “it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.””
For now, organisations should at least carry out the “first steps” recommended by the ICO:
“If you have not started work on complying with these rules it is important to do so now. First steps should be to:
- Check what type of cookies and similar technologies you use and how you use them (i.e. via an audit).
- Where you need consent – decide what solution to obtain consent will be best in your circumstances.”