Clarifying cookie consent
This article was first published in Data Protection Law & Policy in April 2012.
- The law is already in force – Many mistaken headlines have been written about the coming into force of the cookie consent requirements in May 2012. That's actually a year behind the real date. In the UK at least, the requirement has been in place since 26 May 2011 even though the UK Information Commissioner publicised its intention not to enforce the law for at least a year. Most other EU Member States – with the notable exceptions of Germany and the Netherlands – have also passed national laws implementing the consent requirement under the e-privacy directive.
- Monetary fines for non-compliance in the UK are unlikely – Again, rather sensationalist headlines have been published with references to potential £500,000 fines being issued by the UK Information Commissioner. As it happens, the chances of the ICO ever issuing a single monetary fine for not complying with the cookie consent rule are virtually nil. That is not because the Information Commissioner does not care about this issue but because the conditions regarding the seriousness of the breach and the damage or distress to individuals are very unlikely to be met. Other countries may of course a lower threshold for fines to be imposed.
- Implied consent still requires demonstrablebehaviour – Much of the debate to date has centred on the scope for implied consent – that holy grail of compliance that does not involve ticking boxes or clicking on ‘I Accept’ buttons. However, the notion of consent (however we want to qualify it) still involves a clear understanding of what we are agreeing to. So if implied consent is going to be relied upon, it will have to be obvious to the average user what is happening, which in practice means that, as a minimum, a suitably visible and clear notice must be displayed and made available for long enough to be seen and digested. Anything less than that would make it very hard to argue that consent was obtained and is likely to be dismissed as insufficient by regulators and the courts.
- Lack of enforcement does not prove compliance – Finally, many of the decisions regarding compliance with the cookie consent requirement are driven by the possible risk of enforcement. In practical terms, this often translates into doing as little as possible to avoid regulatory scrutiny irrespective of whether the mechanism deployed is compliant or not. Accordingly, as so far no European regulator has taken any enforcement action in this area, the perceived likelihood of enforcement risk is low, which means that hardly anyone is complying with the law.