On Friday, almost exactly one year after the EU Privacy and Electronic Communications Regulations were implemented, and one day before the 'cookie' element was due to be enforced, the Information Commissioner's Office updated its guidance on how companies must comply with the new law. Here's our take.
So on Friday, almost exactly one year after the EU Privacy and Electronic Communications Regulations were implemented, and one day before the ‘cookie’ element was due to be enforced, the Information Commissioner’s Office updated its guidance on how companies must comply with the new law.
On behalf of all the companies who have examined this legislation, designed, built and implemented solutions at vast expense can I just say: thanks. Really. Thank you. Most helpful.
What is most frustrating about this is that the new guidance explicitly contradicts the old guidance.
Exhibit A, from the ICO’s guidance document, available on its website until last week:
“At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent.”
I read this and so did most others as meaning that explicit consent is required. OK it’s a little woolly (like much of the document) with that qualifying ‘entirely in the first instance’, but elsewhere in the document the ICO describes consent as follows:
“Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service.”
I’d say that was pretty unambiguous. Consent requires some form of deliberate action on the user’s part.
This same sentence is in the new guidance document too. But elsewhere is an updated section on ‘Implied consent’. I give you Exhibit B:
“Implied consent is certainly a valid form of consent”
“To explain further it might be useful to unpack what we actually mean by the term “implied consent”
Erm, yes please. Go on
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred.”
OK, but then in what way is that ‘implied’?
“This might for example be visiting a website, moving from one page to another or clicking on a particular button.”
You are kidding me, right? You mean that it could just have been business as usual?
Well actually, no. Because for all that this new guidance gives licence for some softer alternatives in the way that users are informed about cookies and their consent collected, the law is still here and complying with it still requires some serious thought.
Take this paragraph for example:
“some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent.”
In other words if you are doing anything that profiles a user - lead nurturing, marketing automation, ad retargeting, personalisation or any number of other comparable uses implied consent might not be enough. Does Google Analytics’ fall into this category? It tracks individuals’ paths through sites, so who knows.
On the basis of this guidance, many sites may not be able to justify the use of implied consent and will still have to secure visitor’s explicit permission if they are to be truly compliant. They will also need to ensure that they are doing all the other things that proving compliance might require:
- Tracking the display of privacy messages
- Monitoring their acceptance and rejection
Without this data it will be very hard to prove compliance retrospectively, should the regulator be inclined to look at your approach. These features are core parts of the CANDDi Cookie solution and whatever your approach to the user-facing dialogue, remain highly relevant.
The result then is that though the ICO’s new guidance appears to give grounds for a more gentle approach to this law, taking that gentle approach is likely to leave many businesses open to challenge down the line.
We will continue to offer CANDDi Cookie customers a choice of approaches, but we won’t be advising that implied consent is automatically the best option.
Unless of course, the regulator changes its guidance. Again.