The UK’s privacy watchdog no longer requires the explicit consent of visitors to its website in order to serve them with cookies. Instead it will adopt a policy of implied consent.
In 2009 the EU’s Privacy and Electronic Communications (e-Privacy) Directive was changed to the effect that cookies – small text files that record internet users’ online activity – could only be lawfully stored and accessed on users’ computers if the user concerned had given his or her “freely given, specific and informed” consent.
This was introduced into UK law via amendments made to the Privacy and Electronic Communications Regulations (PECR) which came into effect in 2011 under which the ICO has the power to fine those that fail to comply up to £500,000.
Regarding the changes to its policy the ICO has commented:
“We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for. We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners. Since then, many more people are aware of cookies – both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”
It appears, then, that the ICO is now following its own guidance, issued in May last year, in which it stated that organisations could rely on website visitors’ implied consent in order to serve them with cookies provided that website operators were satisfied that their users understood that their actions would result in cookies being served.
For further advice please contact us at firstname.lastname@example.org.