The guidance is available on the ICO’s web site here:
Among other points, the guidance states:
- Implied consent is an appropriate manner of obtaining consent and can be utilized for compliance with the revised cookie rules.
- Companies that rely on implied consent must be satisfied that its users understand that cookies are being placed on their computer.
- When collecting sensitive personal information, such as health information, companies should consider obtaining explicit opt-in consent.
Many businesses have been concerned that requiring consent would be unworkable and overly burdensome to businesses and consumers. The new guidance appears to be at least a partial response to these concerns by clarifying – or attempting to clarify – the acceptability of implied consent based in large part on clear notice to consumers.
The ICO uses the analogy of a patient’s visit to a doctor for explaining implied consent:
“if a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions based on the fact that there is a shared understanding of what is happening.”
The guidance is not perfect. It is not without certain elements of subjectivity and vagueness, but it is guidance nonetheless. We take what we can get. Companies required to comply with the cookie law should carefully review the guidance to gain an understanding of the ICO’s position with respect to compliance and obtaining consent to the use and placement of cookies.