A controversial new series of online privacy rules have come into effect within the European Union’s 27 member countries, requiring companies to receive consent to track individuals’ actions online.
In a surprise move, the Information Commissioner’s Office (ICO) has changed the wording of the laws, moving from needing ‘explicit consent’ to ‘implied consent’ from website users.
This means that websites can assume that users have consented to their use of the cookies, provided they are ‘satisfied that your users understand that their actions will result in cookies being set’.
Sites rely on cookies to store data such as online shopping baskets, identification and other user preferences, and requiring users to agree to each instance would subject them to a blizzard of decisions about acceptance or refusal.
The EU Privacy and Electronic Communications Directive, initially approved last year, was delayed to give companies time to adapt marketing processes to the new requirements.
During planning stages for the new law the ICO had said that implied consent would not work but on Thursday the ICO changed its mind and said that informed consent would suffice.
The owners of non-compliant websites face fines of up to £500,000 but the ICO has said it will not be pursuing prosecutions until the new rules have had time to bed in.
This is fortunate as last week the government admitted the majority of its websites will not be ready in time.
The ICO says May 27th is not a cut-off date but an attempt to help websites focus on their cookie use.
Among other requirements, companies must secure their opted-in user data and inform users about data that third parties store or access. Companies violating the new law are subject to fines.
The updated guidance provides additional information around the issue of implied consent:
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
- If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.