That's The Way The Cookie Crumbles

Jack Simpson

Head of Marketing and Communications

Those who believe in telekinetics, raise my hand.

This weekend saw the end of the 12 month period given to British websites by the Information Commissioners Office (ICO) to comply with new legislation regarding informed consent and cookies.

The new EU legislation, announced in May 2011, requires websites to ask users for their ‘informed consent’, and will divide the type of consent into different categories.

However, on 25th May 2012, the Information Commissioners Office released new advice on the guidance given last year. The last minute update to the cookie law (the day before the law was due to be enforced) proved to be less restricting than what everyone had been working towards. The policy was changed to allow organisations to use ‘implied consent’ to comply; meaning users do not have to make an explicit choice over their information being stored.

Doing a little research for this blog I realised I wasn’t 100% sure what a cookie even was! Apart from the ones you eat obviously. (I made some peanut butter cookies over the weekend and they were pretty good, I must say!) But anyway, back to internet cookies….What are they?

A cookie is a small file, typically of letters and numbers, downloaded on to a device when you access certain websites. Cookies are then sent back to originating website on each subsequent visit, therefore recognising your device.

What’s implied consent? Implied consent is now a valid form of consent according to the ICO. It puts responsibility on the user rather than the website operator, which is better news for businesses struggling to comply with the new directives.

The ICO website has some clarifications around implied consent:

• If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.

• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.

• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

The ICO will not be actively investigating sites unless complaints are made. Businesses will develop their own solutions as they will know how and why customers use their websites. That’s exactly what Web Applications will be doing; performing an audit to determine the scope of the problem, declaring a cookie policy and then obtaining consent from users to set more intrusive cookies.

The public are being encouraged to voice any cookie concerns by using a tool on the ICO website, meaning the ICO will know where to focus their priorities. Non-compliant website owners face a fine of up to £500,000, but this was said to be in cases where a serious breach has occurred.

The change to the cookie law gives businesses more time to comply as it was recognised that most websites would not meet last weekend’s deadline. From the