The UK’s Information Commissioner’s Office recently published new guidance for complying with the EU’s cookie law. Much of the guidance addresses obtaining consent to use of cookies, particularly implied consent.
The guidance is available on the ICO’s web site here:
Among other points, the guidance states:
- Implied consent is an appropriate manner of obtaining consent and can be utilized for compliance with the revised cookie rules.
- Companies that rely on implied consent must be satisfied that its users understand that cookies are being placed on their computer.
- Companies should not rely on the fact that users might have read a privacy policy, as such policies are often difficult to understand and/or hard to locate.
- When collecting sensitive personal information, such as health information, companies should consider obtaining explicit opt-in consent.
Many businesses have been concerned that requiring consent would be unworkable and overly burdensome to businesses and consumers. The new guidance appears to be at least a partial response to these concerns by clarifying – or attempting to clarify – the acceptability of implied consent based in large part on clear notice to consumers.
For implied consent to be effective there must be some action taken by the individual from which consent can be inferred. For example, visiting a web site that contains a clear notice of use of cookies and moving from one page to another, or clicking on a particular button disclosing in some manner the use of cookies. When taking action the consumer must have a “reasonable understanding that by doing so they are agreeing to cookies being set.”
The ICO uses the analogy of a patient’s visit to a doctor for explaining implied consent:
“if a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions based on the fact that there is a shared understanding of what is happening.”
The guidance is not perfect. It is not without certain elements of subjectivity and vagueness, but it is guidance nonetheless. We take what we can get. Companies required to comply with the cookie law should carefully review the guidance to gain an understanding of the ICO’s position with respect to compliance and obtaining consent to the use and placement of cookies.