A grace period during which the ICO did not enforce new laws ends this weekend.
Cookies are small text files that record internet users' online activity. Websites store the information on a user's computer, but EU laws say users should be allowed to choose whether or not to accept cookies or not. Changes made last year to the UK's Privacy and Electronic Communications Regulations (PECR) mean that website operators must now generally obtain users' "informed consent" to cookies.
The ICO has now issued updated guidance (31-page / 402KB PDF) on how organisations can comply with PECR and confirmed that valid consent can be gleaned from internet users through non-explicit means.
"Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices," the ICO's new guidance said. "While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant."
"Website operators need to remember that where their activities result in the collection of sensitive personal data such as information about an identifiable individual’s health then data protection law might require them to obtain explicit consent," it said.
In a blog Dave Evans, the ICO's strategic liaison group manager for business and industry, said that implied consent is valid as long as website operators are "satisfied that [their] users understand that their actions will result in cookies being set." He added that "without this understanding you do not have their informed consent."
Organisations that fail to provide easy access to information about cookies and that do not make the information easy to understand may not be said to have obtained implied consent, Evans added.
"To rely on implied consent for cookies, then, it is important that the person seeking consent can satisfy themselves that the user’s actions are not only an explicit request for content or services but also an indirect expression of the user’s agreement that in addition to providing such content or services the provider may store or access information on the user’s device," the ICO's new guidance said. "To be confident in this regard the provider must ensure that clear and relevant information is readily available to users explaining what is likely to happen while the user is accessing the site and what choices the user has in terms of controlling what happens."
Users' actions on a site can also show an indication of their wishes and can lead to them implying their consent to cookies, the guidance said. However, it said that "how far a course of action can indicate the individual’s wishes will depend to a large extent on the context in which the action is taken."
"Consent might be inferred from a series of user actions which do not in isolation constitute a direct expression of the user’s thoughts about cookies – they have not, in effect, ticked a box accepting cookies – but which in context act as a strong enough indication that they agree to cookies being set," the ICO's guidance said. "User actions can only give a strong enough indication if there is a shared understanding of what is happening."
"An example might be that the user is given a clear and unavoidable notice that cookies will be used and on that basis decides to click through and continue to use the site. Without such a clear notice it is difficult for the person seeking consent to interpret the user’s actions as being any meaningful indication that the user was happy for cookies to be set."
On Monday Out-Law.com reported on deputy Information Commissioner David Smith's confirmation that website operators could glean consent from internet users even if those individuals have not "directly" submitted personally identifying details to the site.
Last year the ICO placed a year's hiatus on enforcement action in order to enable organisations time to set up mechanisms for obtaining that consent. That grace period expires tomorrow.
Consent can also be gleaned from preferences that users choose when visiting a website. Website features, such as videos, that remember how users personalise their interaction can also determine user consent. The ICO has said it is up to individual operators to establish which mechanism for obtaining user consent to cookies is appropriate for their websites.
Website operators do not need consent to serve every kind of cookie. If a cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – such as cookies that take a user from a product page to a checkout – then consent is not required.
Out-Law.com today implemented its consent-gathering mechanism to ensure compliance with the law.