I’m sure everyone is as fed up with talk about cookies as I am right now, but “implied consent” does not mean “do nothing”. Yes the ICO have changed their stance on implied consent, but the law hasn’t been abolished and they haven’t done a U-turn.

I can see why cookies are suddenly a non-issue to people. Almost everyone I’ve spoken to on Twitter now sees the law as mute and time of implementation versus any kind of penalty from the ICO seems like a no-brainer. Do nothing and you’re not going to get in trouble, seems like a win win right?

No, that’s wrong.

The law still exists, it’s been diluted to make for an easier implementation, but it still exists and there is still work involved to keep within the law.

I’ve read the updated ICO guidelines and although the document is quite a long read, its sensibly laid out and fairly well explained, yes there is vagueness but if you read the whole thing I suspect you’ll come to the same conclusion as me: We do need to take steps to keep our website visitors informed about cookie (and local storage) usage.

Implied consent

This is the newest point of confusion for most. The ICO in the 11th hour declared “implied consent” was now an acceptable form of consent. Without reading the updated document many people have come to the incorrect conclusion that this means “great, now we don’t have to do anything, as by browsing the website the visitor is implying consent”.

Let’s refer to the ICO Guidelines on implied consent:

“Implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for “doing nothing”. In many cases, to create a situation in which implied consent is acceptable to subscribers, users and the regulator it would still be necessary to follow the steps set out in the Information Commissioner’s existing guidance.”

Right, that sums up the whole issue really, yes implied consent is valid, but it does not mean that we do nothing.

“To explain further it might be useful to unpack what we actually mean by the term “implied consent” remembering throughout that consent (whether it is implied or express) has to be a freely given, specific and informed indication of the individual’s wishes. For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”

So by browsing the website, this doesn’t imply consent unless the visitor has an understanding of the fact that cookies are being stored.

“…without information being given to the user, it is unlikely that they will understand that they are giving any sort of agreement. This remains the case if information is provided to the user but only as part of a privacy notice that is hard to find, difficult to understand or rarely read. This is why the “do nothing” approach is not enough. The understanding is all on the website operator’s side and the user “giving” consent is unaware that their actions are being interpreted in this way. The user is not informed so in the context of the Regulations, this is not valid consent.”

We need to be clearer, we need to sign post the policy page and then we need to explain in simple terms what cookies are so the visitor can make an informed decision.

The ICO go on to explain further:

“It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area. First steps If you have not started work on complying with these rules it is important to do so now.

First steps should be to:
1. Check what type of cookies and similar technologies you use and how you use them.
2. Assess how intrusive your use of cookies is.
3. Where you need consent – decide what solution to obtain consent will be best in your circumstances.”

They even offer the suggestion that keeping a policy link in the footer of your page is probably not the preferred approach:

“At present information about cookies is generally provided in a privacy policy accessed through a link at the bottom of a webpage. Making sure users will see clear information about cookies is important for compliance with the information requirements of the Regulations, to ensure that consent is valid and more broadly to increase levels of user awareness.”

Research has been done on this issue and statistics are showing that the majority of visitors do not know what cookies are or do, this is why ICO are suggesting we need to sign post policy pages.

If you only use analytics and they are anonymous, please consider the following from the ICO.

“You will often collect information about how people access and use your site. This work is often done ‘in the background’ and not at the request of the user. A first party analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent. You should consider how you currently explain your policies to users and make that information more prominent. You must also think about giving people more details about what you do so that users can make an informed choice about what they will allow.

… In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link).”

If you use cookies for analytical purposes, you still need consent.

Limitations

Should we leave this to the browser vendors to implement? Makes sense to me, but what level of compliance will they offer and when?

The ICO’s current stance is:

“At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie. For consent to be clearly signified by the browser settings it would need to be clear that subscribers had been prompted to consider their current browser settings and, had either indicated in some way they were happy with the default, or have made the decision to change the settings. The other difficulty is that not everyone accessing websites will do so with a traditional web browser.”

Ok, so we’re moving towards that as a solution, but we’re not there yet and it may never be a solution in all cases.

This is also a huge problem in corporate environments where the average user may not even have access to their own browser’s privacy tools.

But how do we implement this, is it too much work for no gain?

Well this is the main bone of contention, in an ideal situation you’re aiming to:

1. Make it clear you have a privacy/cookie policy
2. Educate your visitors on what cookies are
3. Facilitate a way for them to control cookie usage

Common sense dictates that can be achieved with the following:

1. Move your privacy policy to the top of the page, or make it really obvious in your footer. You could even promote the policy page via a news story appearing higher in your webpage to educate repeat visitors
2. Do a cookie audit and list which cookies do what in a way that makes sense to your visitor. Whether this is in a table or just simply explained within your copy is up to you.
3. Ideally have a way of opting out in page, as well as providing information to the visitor on how they can control cookies through their browser.

This does involve work to implement, but there are plenty of plugins already out there to help with this, which should save you considerable time. This then leaves you with the following tasks: cookie audit, a policy update and a template tweak.

In summary

So who is going to pay for all this? Well if you have your own websites, you. If you have clients, you’ll need to explain the law to them and let them make the choice as website owner.

Yes you are unlikely to get into trouble by not complying, but you are breaking the law by doing nothing at all.