This blog entry was contributed by Conor Ward, a partner in the Computer, Communications and Media group in the London office.
For over a year companies have been trying to determine how to achieve compliance with the UK Information Commissioner’s Office’s (ICO) amended Privacy and Electronic Communications Regulations (the “cookies law”), which implemented 2009 amendments to the EU’s Privacy and Electronic Communications Directive of 2002. The law addresses user consent to cookies and similar technologies for storing information on a user’s equipment, such as their computer or mobile device. Last year, the ICO granted a one-year grace period from enforcement to May 26, 2012. Accordingly, as of Sunday, May 27th, websites must obtain “informed consent” from visitors before saving cookies on a machine.
Last week, the ICO issued its third guidance note (May 2012), which outlines the changes to the cookies law and explains the steps that need to be taken to ensure compliance. For the first time, the ICO made it clear that reliance on implied consent would be an acceptable form of consent. As to the issue of implied consent, the ICO stated:
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
- If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
A copy of the guidance note can be downloaded here. The ICO also has set out details of its approach to enforcement, in particular in the light of the fact that many UK sites are unlikely to be compliant on 27th May. Details can be found here.