Following on from my recent post about the EU Cookie Directive (and an email my agency sent to clients in the run up to May 26th) I thought I would update readers on changes in the Information Commisssioner’s Office (ICO) approach to enforcement.

On May 24th, just two days before the compliance due date, the ICO changed its position regarding implied consent. Previously, the ICO had stated that website owners could no longer rely on the concept of implied consent for compliance with the cookie directive. In other words, we were told that it would not be enough to state in our privacy policy pages that a site uses cookies and assume that, if a user continued to access our site, they consented to have those cookies downloaded to their devices. The guidance stated that we had to have explicit consent before any non-essential cookies could be loaded into a webpage.

However, the ICO stated in its revised guidelines of the 24th that implied consent was now acceptable. This has come as a great relief to many site owners, as the task of implementing explicit permission solutions posed a significant challenge, and for some sites would be prohibitively expensive. Although, by leaving the announcement until two days before the legislation was due to come into force, it meant that many companies had already gone to the trouble and expense of deploying solutions.

The new guidance doesn’t let website owners entirely off the hook, however. The legislation’s requirement for more detailed descriptions of which cookies are in use on a site, and what role they serve still applies. Also, if your site uses intrusive tracking cookies for the purposes of advertising or recommendations, explicit consent may still be required.

So, in the light of this shift of position, my agency’s advice to clients is to do the following:

1. Conduct a full site-wide audit of all cookies in use on your site(s)
2. Update your Privacy Policy page to include detailed descriptions of what cookies are present, and what they are used for. Include also information about cookies used by third party services such as Google Analytics, Facebook, YouTube and others, and provide links to the cookie information pages of those services/sites
3. In that Privacy Policy page offer guidance to users on controlling cookies in the settings of all the major web browsers
4. Change the title of your Privacy Policy to something like “Privacy & Cookies Policy”
5. Feature a link to the new policy page prominently in the footer or header of your site.
6. If your site features a lot of third-party advertising determine if an explicit consent solution is required, then work with your in-house or external web team to develop and implement an appropriate solution
7. Develop a plan for monitoring and managing your site’s cookies going forward

For additional information you can read the ICO guidelines here.  If you’d like further advice or help in making your site compliant, feel free to contact my company, we’d be happy to help.

Derek Gavey (Flickr)