ICO flip-flops on UK cookie-consent law.

[borgs8472]

The new cookie compliance rules come into force today (26th May)

But at the 11th hour suddenly:
http://www.ico.gov.uk/news/blog/2012/up ... e-law.aspx

Implied consent is a valid form of consent

To quote the blog that raised this issue to me:
http://h30565.www3.hp.com/t5/UK-Edition ... /bc-p/4111

With these innocent-sounding eight words, the ICO has radially shifted the goalposts for most website owners. Depending on the context, there may now be no need to get users to click a button or checkbox, as long as your users understand that using the site will result in cookies being used.

While I welcome the change, it would have been far better for the ICO to have changed their minds much sooner -- say, a year ago. The industry has been telling the regulator that the "specific and informed" clause was unworkable for much longer than that.

I know for instances that major websites I've been working with have been applying loads of auditing and development resources to fix an issue that everyone knew (well I did) would never happen.

In my opinion this is a typical example of legislating first, working out the consequences of implementation second - something we see in many of our issues.

[Duke]

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information[/b] in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. ([a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML"]Source[/a])

It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. ... Where it is technically possible and effective, [...] the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. ([a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:en:HTML"]Source[/a])

I'm not sure that statement from the ICO is particularly dramatic. All it is saying is that consent can be implied (presumably by conduct). But that doesn't mean that implied consent is sufficient - by my reading of the Directive, what is important is the right to refuse the processing, and the clear and comprehensive information about what is happening. Consent alone (either implied or express) isn't enough, you need informed consent. It may not be enough to know that cookies are used, but also what they do, how they work etc.

Not that it really matters for most sites, as I don't imagine the ICO will be going after everyone for non-compliance.

As for the ICO changing their position at the last moment (if they have), that's just silly. this Directive was passed in December 2009 - it's not like it's crept up on anyone...