Out-Law News 2 min. read

ICO to change cookie policy to recognise implied consent

The UK's privacy watchdog will no longer require individuals' explicit consent in order to serve them with 'cookies' when they visit its website.

The Information Commissioner's Office (ICO) has said that anyone who visits its website from "the end of January" will receive cookies. It said individuals will be given "clear, detailed information" about what cookies have been set and will also be given access to an "easy way to remove them" if they do not want them set on their machines or devices.

The ICO said its change in policy was "consistent" with guidance it has issued on obtaining "implied consent" to cookies. It said the purpose of its change in policy was to enable it to "collect reliable information to make our website better".

"We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies," the ICO said in a notice on its website. "We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for. We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners."

"Since then, many more people are aware of cookies – both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites," it said.

Cookies are small text files that record internet users' online activity. In 2009, the EU's Privacy and Electronic Communications (e-Privacy) Directive was changed to state that storing and accessing information on users' computers would only be lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".

Consent must be "freely given, specific and informed". An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – for example, to take the user of an online shop from a product page to a checkout.

The EU laws were implemented in the UK through amendments made to the Privacy and Electronic Communications Regulations (PECR) which came into effect in 2011. However, the ICO elected to place a year's hiatus on its enforcement of the new rules to give organisations more time to find a technical solution that suited them that also complied with the legal framework. The ICO has the power to fine those that fail to comply with the PECR rules up to £500,000.

Last May the watchdog issued new guidance that stated that organisations can rely on individuals' implied consent in order to legitimately serve them with cookies under certain circumstances.

In a blog that was posted at the time the ICO issued its implied consent guidance, Dave Evans, the ICO's strategic liaison group manager for business and industry, said that implied consent is valid as long as website operators are "satisfied that [their] users understand that their actions will result in cookies being set." He added that "without this understanding you do not have their informed consent."

Organisations that fail to provide easy access to information about cookies and that do not make the information easy to understand may not be said to have obtained implied consent, Evans added.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.