The Information Commissioners Office has released updated advice on the guidance on changes to the EU cookie law, and it's a little less restricting than the guidance everyone has been working to over the last 12 months.
The last minute update to the cookie law – it was announced on the ICO blog on the 25 May, the day before the law was due to be enforced - has some clarifications around implied consent:
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
- If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
The ICO uses a patient visiting a doctor as a description of implied consent
"if a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient's actions based on the fact that there is a shared understanding of what is happening."
The full ICO cookie guidance – including the last-minute update – can be found on the ICO site as a PDF and there's a new video that answers some frequently asked questions such as .
- How can UK organisations comply with the new cookies changes?
- Is the ICO concerned that many websites aren't yet compliant?
- What approach will the ICO be adopting to enforcing the amended cookies laws?
- What are the benefits of complying with the new cookies regulations?
- What should members of the public do if they are concerned about cookies being placed on their device?
- How is the ICO working with web browsers and third party advertisers to ensure they comply with the changes?
The ICO caveats the video link with "NB: playing YouTube video sets a cookie – more info" Is this really what they intend every website to explain before they have a link to a new site, or on an embedded video? Let us know what you think of the law and the changes.