Surprised by the Information Commissioner’s sudden embrace of implied consent when it comes to cookies?
After 12 months during which the digital marketing industry raged against the apparent dying of the light which explicit consent was expected to lead to, a late reprieve appears to have been given. Updated guidance from the ICO now acknowledges that implied consent is more practical than seeking an opt-in. That is pretty much what website publishers have been saying ever since they became aware of the amended ePrivacy Directive.
The actual wording used is important: “For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.” So publishers have to provide some clear and transparent indication that they will be using cookies in order to claim that the user has understood. An audit of the cookies being dropped and a table explaining what they are would therefore appear essential, even if it is placed somewhere on the back of the site.
What is notable about the new guidance, however, is that it does one thing while saying another. The ICO will accept implied consent, but also states that “an explicit opt-in mechanism might provide regulatory certainty”. Marketers might be happy that they can get away with a cookies policy notice or link on the front page, but what will their legal officers think?
We are in new territory in the face of a UK regulator implying that it will not enforce a law that it clearly considers to be bad. Yet this is exactly what many European countries have done for years. Indeed, many right-wing media commentators in this country have complained about the British tendency to adopt European laws early and in full when the rest of the EU appears to ignore them. Italy has led the way in this laissez-faire approach, ever since the shock passing of its Data Protection Act at midnight of 31st December 1996.
Yes, that’s right - while most legislators were out at New Year’s Eve parties, a handful of Italian MPs got the law approved which technically put all data processing in that country onto an opt-in footing. Did data controllers fall into line? No, not least because there was little enforcement of what was clearly a bad law. Italy has since passed a simplification of its law that moves towards an opt-out position. The lesson here is clear - in dealing with European laws, act like the Europeans, but be selective about which ones. With proposals to change all data processing and direct marketing to opt-in, that is a reassuring change in culture.