As has been much publicised in recent weeks, the ICO's 'grace period' for complying with the UK's new cookie consent requirement expires towards the end of next month (25 May, to be precise). Across
As has been much publicised in recent weeks, the ICO's 'grace period' for complying with the UK's new cookie consent requirement expires towards the end of next month (25 May, to be precise). Across the EU, cookie consent requirements are already in force in a number of territories.
What I've found surprising in the run up to the UK deadline is the number of news articles that still complain about how 'stupid' this new law is. While I have a lot of sympathy for these views - from both a practical implementation and academic law standpoint - the time for making these complaints has passed. Rightly or wrongly, the law is here to stay and businesses need to figure out what they're going to do about it.
In fact, perhaps the most difficult thing for many of us to admit (myself included), is that the new law has had a number of very positive effects. It's shone a light on how little many website operators really knew about what they - and others - were collecting through their websites. It's also encouraged a much greater level of transparency around online data collection and encouraged the development of some really innovative cookie control solutions (those with concerns that the ICO opt-in consent banner might become the market norm can breathe a long sigh of relief...)
Businesses that continue to resist the new law risk missing a trick in terms of demonstrating thought leadership and engendering consumer trust (ignoring legal compliance risk for the moment). Since BT adopted its implied consent solution (see www.bt.com), I've had a number of contacts ask me about 'the BT approach' and seen numerous tweets, blogs and articles about it. I don't intend to comment on BT's solution - that's not the point - but I do think it neatly demonstrates that early engagement with cookie consent can deliver real, positive benefits.
So if you're still wondering what you need to do, here's a reminder:
1. Audit your cookie use and work out what you've got.
2. Assess the intrusiveness of your cookies.
3. Adopt a notice and consent strategy (express or implied) appropriate to the intrusiveness of your cookies.
4. Implement forward facing cookie management mechanisms.
One final thought: remember that the law requires "consent", not "express" or "opt-in" consent. While these approaches may be appropriate for certain types of intrusive cookie use, other more sophisticated (and less disruptive) consent approaches can and do exist. For more information, see some of our previous posts (see here) and have a look at our cookie consent tracking table, which shows cookie consent requirements across the EU (here).
What I've found surprising in the run up to the UK deadline is the number of news articles that still complain about how 'stupid' this new law is. While I have a lot of sympathy for these views - from both a practical implementation and academic law standpoint - the time for making these complaints has passed. Rightly or wrongly, the law is here to stay and businesses need to figure out what they're going to do about it.
In fact, perhaps the most difficult thing for many of us to admit (myself included), is that the new law has had a number of very positive effects. It's shone a light on how little many website operators really knew about what they - and others - were collecting through their websites. It's also encouraged a much greater level of transparency around online data collection and encouraged the development of some really innovative cookie control solutions (those with concerns that the ICO opt-in consent banner might become the market norm can breathe a long sigh of relief...)
Businesses that continue to resist the new law risk missing a trick in terms of demonstrating thought leadership and engendering consumer trust (ignoring legal compliance risk for the moment). Since BT adopted its implied consent solution (see www.bt.com), I've had a number of contacts ask me about 'the BT approach' and seen numerous tweets, blogs and articles about it. I don't intend to comment on BT's solution - that's not the point - but I do think it neatly demonstrates that early engagement with cookie consent can deliver real, positive benefits.
So if you're still wondering what you need to do, here's a reminder:
1. Audit your cookie use and work out what you've got.
2. Assess the intrusiveness of your cookies.
3. Adopt a notice and consent strategy (express or implied) appropriate to the intrusiveness of your cookies.
4. Implement forward facing cookie management mechanisms.
One final thought: remember that the law requires "consent", not "express" or "opt-in" consent. While these approaches may be appropriate for certain types of intrusive cookie use, other more sophisticated (and less disruptive) consent approaches can and do exist. For more information, see some of our previous posts (see here) and have a look at our cookie consent tracking table, which shows cookie consent requirements across the EU (here).