Less than a month to go for the first anniversary of the implementation of the amended e-privacy directive in the UK, which will coincide with end of the self-imposed moratorium on enforcement of the
Less than a month to go for the first anniversary of the implementation of the amended e-privacy directive in the UK, which will coincide with end of the self-imposed moratorium on enforcement of the 'cookie consent' requirement by the UK Information Commissioner. With that in mind, it is a good time to come clean on some of the inaccuracies that seem to be circulating around in relation to compliance with this requirement:
* No one will get fined for cookie consent breaches under the current UK law - Despite the sensationalists claims made by some, the truth is that the threshold for monetary fines under UK data protection law is so high, that fines for this type of breach (in the UK!) are extremely unlikely. However, it would also be extremely foolish to assume that in the absence of fines, non-compliant websites are simply off the hook. Quite the opposite. The ICO will focus instead on ensuring that infringing sites are forced to get their house in order within a limited period of time and therefore, both undertakings and enforcement notices will become the preferred enforcement tool in this area.
* Implied consent does not mean business as usual - Much of the debate to date has centred on the scope for implied consent - that holy grail of compliance that does not involve ticking boxes or clicking on 'I Accept' buttons. However, the notion of consent (however we want to qualify it) still involves a clear understanding of what we are agreeing to. So if implied consent is going to be relied upon, it will have to be obvious to the average user what is happening, which in practice means that, as a minimum, a suitably visible and clear notice must be displayed and made available for long enough to be seen and digested. Anything less than that would make it very hard to argue that consent was obtained and is likely to be dismissed as insufficient by regulators and the courts.
* Sticking the words "By using this site you agree to..." in a privacy policy will NOT cut it - Finally, a word of caution to those who have received or seen guidance to the effect that consent may be obtained by functional use only - i.e. by sticking the words "By using this site you agree that we can place cookies on your device" in a privacy policy or cookie notice. Needless to say, unless one can show that the notice was read (which is unlikely if it sits behind a minute link at the bottom of a website), the informed consent requirement will not be met.
So to comply with this requirement and as mentioned in the past, a prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way, but only if they move from a wish list to action.
* No one will get fined for cookie consent breaches under the current UK law - Despite the sensationalists claims made by some, the truth is that the threshold for monetary fines under UK data protection law is so high, that fines for this type of breach (in the UK!) are extremely unlikely. However, it would also be extremely foolish to assume that in the absence of fines, non-compliant websites are simply off the hook. Quite the opposite. The ICO will focus instead on ensuring that infringing sites are forced to get their house in order within a limited period of time and therefore, both undertakings and enforcement notices will become the preferred enforcement tool in this area.
* Implied consent does not mean business as usual - Much of the debate to date has centred on the scope for implied consent - that holy grail of compliance that does not involve ticking boxes or clicking on 'I Accept' buttons. However, the notion of consent (however we want to qualify it) still involves a clear understanding of what we are agreeing to. So if implied consent is going to be relied upon, it will have to be obvious to the average user what is happening, which in practice means that, as a minimum, a suitably visible and clear notice must be displayed and made available for long enough to be seen and digested. Anything less than that would make it very hard to argue that consent was obtained and is likely to be dismissed as insufficient by regulators and the courts.
* Sticking the words "By using this site you agree to..." in a privacy policy will NOT cut it - Finally, a word of caution to those who have received or seen guidance to the effect that consent may be obtained by functional use only - i.e. by sticking the words "By using this site you agree that we can place cookies on your device" in a privacy policy or cookie notice. Needless to say, unless one can show that the notice was read (which is unlikely if it sits behind a minute link at the bottom of a website), the informed consent requirement will not be met.
So to comply with this requirement and as mentioned in the past, a prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way, but only if they move from a wish list to action.