Data Protection Alert (EMEA)
29 May 2012
by Cameron Craig, Paul McCormack
On 26 May 2012, the deadline expired for the implementation of the new law requiring website users to provide 'opt-in' consent to cookies.
On the eve of the compliance deadline, the Information Commissioner's Office (ICO) issued an updated guidance note which clarified the meaning of consent, allowing consent to be inferred by the actions of the user. Website operators are therefore able to obtain consent by way of 'implied consent' of the user, provided certain requirements are met.
The UK legislation (The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) which implements the amendments to the E-Privacy Directive came into force on 25 May 2011 and states that a user or subscriber must:
- be given clear and comprehensive information about the purposes of the storage of cookies and
- provide his or her consent.
However, on 25 May 2012, the ICO updated its guidance to amend and replace the previous advice relating to 'implied consent'. The revised guidance (Updated Cookie Guide) confirms that in certain circumstances, implied consent (rather than express opt-in consent) can be relied upon to satisfy the 'consent' requirement of the revised law.
Although express consent from a regulatory compliance and enforcement perspective remains the best way to evidence compliance, the ICO advises that this does not rule out implied consent as an alternative.
Specific and informed
The Updated Cookie Guide provides a comparison between the setting of cookies to a doctor-patient relationship, insofar as, in order for a patient to provide any consent (implied or otherwise), they need to be told of the proposed procedure before consent can be inferred from their action.
In the context of cookie compliance, the ICO advises that website operators must ensure that clear and relevant information is available to users for any consent (implied or express) to be given. Furthermore, the key points to consider are:
- the nature of the intended audience of the site
- the way in which users expect to receive information from and on the site, and
- making sure that the language used is appropriate to the audience.
An indication of wishes
The Updated Cookie Guide also confirms that the user actions can provide an indication where there is a shared understanding of what is happening. The ICO confirms that in the context of analytic cookies, explicit opt-in consent is difficult and problematic in practice, therefore the ICO recognises that 'implied consent might be the most practical and user-friendly option'.
A welcomed clarification?
For many businesses embroiled in the process of completing a cookie compliance solution, this may be seen as a relief due to the technical headache involved in developing an opt-in consent mechanism and adding a barrier to their website user experience.
However, this clarification does not change the obligation to provide users with 'clear and comprehensive information' and also obtain 'consent'. This means that while a direct action (eg ticking a box) by the website user is not required, there will still be required clear and relevant information, together with a description of how an indirect action by the website user will amount to an implied consent.
DLA Piper's EU Information Law team have developed a robust methodology to assist organisations through the complex rules relating to compliance with cookies and can assist organisations by undertaking a cookies audit, suggesting compliance options and assisting in the implementation of a commercially viable cookie compliance solution.
For further information please contact:
Paul McCormack, Solicitor, EU Information Law Team
+44 (0)114 283 3274
Cameron Craig, Partner and Head of DLA Piper's EU Information Law Team
+44 (0)114 283 3050
International Chamber of Commerce UK Cookie Guide - April 2012
DLA Piper's EU Wide Cookie Compliance Summary (How the E-Privacy Directive has been implemented across the EU) - Updated March 2012
DLA Piper Alert - Approaching deadline for cookie consent law compliance - 1 May 2012
This information is intended as a general overview and discussion of the subjects dealt with. The information provided here was accurate as of the day it was posted; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper is not responsible for any actions taken or not taken on the basis of this information. Please refer to the full terms and conditions on our website.
Copyright © DLA Piper. All rights reserved.
Launch of Cab Cribs app
Our popular Cab Cribs series is now available as an app for free download onto iPhones, iPads and most Android phones and tablets.
During commercial negotiations you may not have time to take advice but need to quickly jog your memory on what key concepts mean in practice – these handy guides act as quick-reference crib sheets to remind you.