25 Apr 2012
25 Apr 2012
In January I wrote a blog post – ‘EU cookie directive could make the web less accessible for all’ – in which I highlighted some challenges and concerns around the guidance issued by the ICO.
I stated that it contradicted itself and that the interpretation of the law was inflexible and unworkable for businesses. At the heart of the law is the need for “informed consent” for the storage and retrieval of information on an end user’s device.
The guidance explained that the need for information to qualify as “informed” recognised the varying intrusiveness of cookies and allowed for a proportional approach, but that the action required to create “consent” didn’t have a similar flexibility. However, the examples presented contradicted this by illustrating inferred consent solutions and suggesting collecting consent after placing cookies without explaining when this might be appropriate or how it could be deemed compliant.
This has driven a lot of debate within organisations and amongst digital professionals, as well as a lot of very different solutions ranging from fully compliant, prior explicit consent in the form of light boxes or avoiding placing cookies until consent is given; through to opt out statements in barely visible banners.
Reading between the lines of the ICO guidance it is clear they will focus enforcement energies on cases where no appropriate effort has been made to make users aware, and even then they will be reasonable in encouraging and allowing time for upscaling the response.
Our advice to clients is to understand the spirit of the law and then interpret it in a way which maps to the level of risk the organisation is prepared to take and the context of the business. Here are three examples:
To summarise, we recommend focusing on taking reasonable steps to avoid enforcement rather than full compliance – at least in the short term until it’s clear how companies and the ICO will respond.