The UK Information Commissioner's Office is working hard trying to find the right balance between being realistic in its interpretation of the new cookie consent requirement whilst ensuring a decent
The UK Information Commissioner's Office is working hard trying to find the right balance between being realistic in its interpretation of the new cookie consent requirement whilst ensuring a decent degree of compliance across UK websites.
The ICO's position seems to be that whilst they do not intend to get aggressive for the lack of compliance with the consent requirement, they will be getting in touch with organisations in the event of a complaint about cookies, and they will expect websites (at least large websites) to have carried out an assessment of what cookies they have and started to work towards their cookie consent strategy.
Linked to this approach is the idea of having an "intrusiveness grading" of cookies. This means that the form of consent required will be different depending on the level of intrusiveness. For example, for a first party session cookie (which is not strictly necessary), it would not be unreasonable to assume consent by simply using the website. At the other end of the scale, the regulator would expect a much more carefully thought out consent process.
So here is the homework for UK website operators:
1. Make sure you know what cookies are being served from your website, who is serving them and how they are used. To find out this, you can rely on the technology provided by Sitemorse, a leading supplier of web content governance solutions.
2. Grade the level of intrusiveness by considering factors such as 1st party v 3rd party, session v persistent, life and density. This is a key assessment that will determine the right approach to ensure compliance.
3. Figure out what level of notice and consent is appropriate for your cookies.
Simple! And by the way, the value of this exercise is not limited to the UK, as most other EU countries are likely to follow a similar approach.
The ICO's position seems to be that whilst they do not intend to get aggressive for the lack of compliance with the consent requirement, they will be getting in touch with organisations in the event of a complaint about cookies, and they will expect websites (at least large websites) to have carried out an assessment of what cookies they have and started to work towards their cookie consent strategy.
Linked to this approach is the idea of having an "intrusiveness grading" of cookies. This means that the form of consent required will be different depending on the level of intrusiveness. For example, for a first party session cookie (which is not strictly necessary), it would not be unreasonable to assume consent by simply using the website. At the other end of the scale, the regulator would expect a much more carefully thought out consent process.
So here is the homework for UK website operators:
1. Make sure you know what cookies are being served from your website, who is serving them and how they are used. To find out this, you can rely on the technology provided by Sitemorse, a leading supplier of web content governance solutions.
2. Grade the level of intrusiveness by considering factors such as 1st party v 3rd party, session v persistent, life and density. This is a key assessment that will determine the right approach to ensure compliance.
3. Figure out what level of notice and consent is appropriate for your cookies.
Simple! And by the way, the value of this exercise is not limited to the UK, as most other EU countries are likely to follow a similar approach.