On May 25, 2012, the UK’s data protection authority, the ICO, issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011).  As we have reported here and here, when the rules were first introduced in May 2011, the ICO granted UK website operators a “honeymoon” period of 12-months to comply with the rules, which comes to an end on May 26, 2012. 

This is the second time the ICO has updated its advice on cookies, which is intended to assist UK website operators in complying with the new rules that require them to provide website visitors with clear and comprehensive information about cookies and obtain their consent to store a cookie on their device.  The ICO has also posted a short video on its website to respond to some of the frequently asked questions related to the new cookie rules. 

Implied consent

Contrary to what the previous ICO advice suggested, the updated guidance accepts that implied consent is a valid form of consent and can be used in the context of compliance with the new cookie rules.  However, such implied consent must be informed, and, therefore, a website operator relying on implied consent must be satisfied that website visitors have a reasonable understanding that their actions will result in cookies being set or information being accessed on their device.  This will require the website operator to provide clear and relevant information that is readily available to the users regarding the use of cookies – in other words, a website operator would not be able to rely on the fact that users may have read a privacy policy that is hard to find or difficult to understand.

The ICO recognises that implied consent may be the most practical and user-friendly option for analytic cookies; however, it also reminds website operators that for the majority of users, it may not be obvious that most websites use cookies to analyse the use of their websites.  Therefore, the key to implied consent in the context of analytic cookies is to make it “second nature” for users to appreciate that on most sites they visit, analytic cookies will be placed on their devices, so that it will become acceptable to interpret the actions of those users (e.g., using a site in a particular way) as an indication that the users consent to such cookies.    

The guidance further states that implied consent may not be appropriate in certain circumstances, e.g., when sensitive personal data is collected.

Enforcement

In its responses to the frequently asked questions, the ICO acknowledges that compliance with the new cookie rules is not straightforward, and therefore, the regulator will not require full compliance starting May 26, 2012.  Instead, the ICO will expect companies to have taken steps to comply with the rules (e.g., by conducting a cookie audit, making notices about cookies more prominent and considering the best methods for obtaining consent) and have a realistic plan for complying with the rules by a specific date.

The ICO also states that a failure to comply with the new cookie rules would be unlikely to result in the imposition of monetary penalties.  Instead, the ICO is more likely to request companies to enter into formal undertakings to bring their actions into compliance with the law.

To help the ICO investigate potential breaches of the law, the regulator published a cookie reporting tool on its website and encourages members of the public to report any concerns they have with cookie practices of specific websites.  The ICO will use this information to help it determine the particular sectors and types of cookies on which to focus its enforcement strategy.