What has Changed?
Following on from my last blog post the 26th of May has passed and according to a recent KPMG study, 95% of companies have yet to comply with the legislation. However, things DID change only hours before the compliance was due to come into force. As I mentioned in my previous post, a user must give informed consent before a website operator is allowed to set cookies on your browser. The ICO has now changed its stance and allows “implied consent” for web users. For UK site owners, implied consent moves some of the burden away from the site operator and towards the site visitor.
The ICO has released an updated guidance document which has a section which outlines the new implied consent section which is shown below:
“Much of the debate around the so-called “consent for cookies” rule has focussed on the nature of the consent required for compliance. Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices. While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant. Website operators need to remember that where their activities result in the collection of sensitive personal data such as information about an identifiable individual’s health then data protection law might require them to obtain explicit consent.
Early reporting on the new rule led some to believe that an explicit, opt-in style consent would be required for every cookie each time it was set. The Information Commissioner’s guidance made it clear that although an explicit opt-in mechanism might provide regulatory certainty it was not the only means of gaining consent. In some circumstances those seeking consent might consider implied consent as an option that was perhaps more practical than the explicit opt-in model.
Implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for “doing nothing”. In many cases, to create a situation in which implied consent is acceptable to subscribers, users and the regulator it would still be necessary to follow the steps set out in the Information Commissioner’s existing guidance.
To explain further it might be useful to unpack what we actually mean by the term “implied consent” remembering throughout that consent (whether it is implied or express) has to be a freely given, specific and informed indication of the individual’s wishes. For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”
There is quite alot to take in from this but I think the most important section is in the last paragraph.
For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button.
What do I need to do now?
To accommodate implied consent, you need to notify the user in a clear manner which cookies are in use. You should have a link to a privacy policy page, which goes into greater detail about the cookies you use and why you are using them. The Information Commissioner makes it clear that this is not an excuse to do nothing, users must be able to make a conscious and informed decision about cookies when using your site.
The BBC website has a notice at the top of their page which informs the user that by navigating to another page, they are giving their consent and the action of clicking another link or the dismiss / OK button on the banner is sufficient.
However, if you
would like regulatory certainty (if you are setting detailed tracking cookies etc), then it is recommended to provide users with the full ability to give explicit consent or opt out completely as described in my previous post. If I get some time, I may come up with a simple SharePoint WSP providing the “basic” functionality if enough people want one.
I hope this update helps as there is a lot to take in.
I just wondered if you or anyone has seen this implemented on a public SharePoint site? Has anyone applied this without backend development (e.g. JavaScript)?
Tony
Hi Tony,
I am in the process of implementing a javascript version into a SharePoint WSP that can be activated on a site collection. This should be finished this week.
Chris
Hi Chris,
I’d be very interested in obtaining this WSP if you’d be kind enough to share it please?
Regards,
Rob.
Hi Christopher.
Did you fininsh making the SharePoint WSP?