Link to Menu
Tel: 01924 666432

Guest Blog - Cathy Cook on Cookies

Hello and welcome to the final part of Cathy Cook's blog series on complying with the cookie regime. Click here to find out more about Cathy and read the first two parts of her blog series.

Practical steps to obtain consent

The policy on obtaining consent differs and, at present, the ICO seems to have a more relaxed view than regulators in other EU member states.  

The ICO in their 2012 guidance suggested that implied consent is reasonable in the context of storage of information or access to information when using cookies at least where non-sensitive personal data is concerned. 

Although an explicit opt-in mechanism might provide regulatory certainty there is an acknowledgement that in some circumstances implied consent might be a valid and more practical option. 

Because the ICO is out of step with existing guidance from EU regulators there may be an issue if cookies are placed on the equipment of Non UK EU citizens on the basis of implied consent.

Implied Consent can only be relied on provided that:

  • It is specific and informed. So the information must be given prominently bearing in mind the intended audience and how users will obtain information from the site; and

  • There is some action on the part of the user from which consent can be inferred.  The fact that a user is on a website is not sufficient consent unless there is an understanding that the user knew cookies would be set.  The 2012 guidance does however state that if a clear and unavoidable notice that cookies will be used appears on the landing page and the User continues to browse the site then it will imply consent.

  • Affirmative Consent could be obtained through the use of splash pages or pop up windows including express consent provisions with tick boxes.  This could be problematic as some users employ pop up blockers and so would not see the pop up windows.

  • Static information Banners could be used at a prominent place on the website and can also include a link to the cookie information page.

  • Terms and conditions and privacy policies provided they include relevant information when the user first signs up however it is unlikely that the inclusion of implied consent provisions in the terms or privacy policy would sufficient to comply with new requirements.

  • Features and user preferences when a user selects options to choose preferences in the way he or she uses the website which can also include information about the cookies used to enable those preferences.

  • Third parties such as advertising networks that want to place cookies on users’ equipment through a website that they do not operate themselves will find it difficult to obtain valid consent.  As they don’t have a direct relationship with the user of the site whose online behaviour they wish to track, they will not normally be able to obtain consent through the use of terms and conditions or privacy settings.  The only way to get round this is for website owners to obtain consent by providing information about the third party cookies and to obtain consent on behalf of the third parties.

Final Summary

The above & previous blogs sets out the position to date however, website operators need to keep a weather eye on the situation as there are already planned revisions to the Data Protection Directive (1995/46/EC)  which could make the views of the EU Article 29 Working Party legally binding rather than persuasive as of now.

If you do need help preparing your website cookie policy or privacy policy with practical guidance on how to communicate with your users then please give me a call  Cathy Cook at Jordans Solicitors on 01924 387110

Cathy Cook

Blogs

View all of Cathy's blogs and more using the link below

 Blog

Twitter

You can follow Jordans Commercial on Twitter using the link below

Twitter

Ring

If you wish to speak to Cathy about any of the issues in this blog then please ring the following number:

01924 387110