DATA PROTECTION, PRIVACY
Internet, Technology


Following on from Simkins earlier report (http://www.simkins.co.uk/ebulletins/LJAuktoughcookie.aspx), the ICO’s grace period for cookie compliance came to an end on 26 May 2012. The ICO has now also revised its guidance on the use of cookies.

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

The revisions consist of new commentary on the scope for reliance on implied consent. The ICO acknowledges that implied consent can be a valid means of obtaining the user’s informed consent – especially in the case of analytics cookies, where implied consent may be a more practical and user-friendly means of obtaining consent.

If the site operator is to rely on implied consent, the user must take some kind of step (such as visiting a website, navigating to a certain page, or clicking on a particular button) from which the user’s consent to the setting of cookies can reasonably be inferred.

Simply visiting a website is not enough to imply consent on its own: there must be a sufficient indication that the user understands and agrees that, in addition to providing content or services, the site operator may store cookies on the user’s device. Implied consent depends, therefore, on providing the user with clear and readily available information about the site’s use of cookies, and on obtaining a “strong enough” indication that the user is aware that using the site will result in the setting of cookies.

That indication need not be an express opt-in: it could arise from an action (or series of actions) that may not directly express the user’s preferences about cookies, but which, in the context, indicate that the user agrees to the setting of cookies. The ICO does not offer any prescriptive guidance on what is sufficient to achieve this: it will be a question of fact in each case.  Factors to be taken into account include the nature of the intended audience (in particular, their level of technical awareness), the way in which users expect to receive information from the site and the kind of language that is appropriate for the audience.

Site operators should, therefore, consider the best means of obtaining informed consent in light of the new guidance and in the context of their own site. Many will prefer, wherever appropriate, to avoid express, opt-in consent, which might result in a low acceptance of cookies (and perhaps an unwelcome interruption of the user experience). The guidance clarifies that different technical means can be used to bring information on cookies settings to users’ attention. These could include pop-up boxes or buttons with links – or other means, but only if  the route to the information is given sufficient prominence, such as a link placed “above the fold” and/or with highlighted, self-explanatory text.

This update is by  Ed Baden-Powell and © Michael Simkins LLP. This update is for general guidance only. Legal advice should be sought before taking action in relation to specific matters. http://www.simkins.com