Along with much of the European web industry, I spent last week fielding calls from clients, asking whether their site was compliant with the rules – or perhaps more accurately, whether they were facing a £500,000 fine, like they’d heard on the news.
As ever with these things, it boiled down to choosing a role model, and copying what they were doing. The Government Digital Service and DCMS (as lead department) were both taking an ‘implied consent’ approach, with pages listing and justifying the use of each individual cookie; and the BBC, initially, were doing likewise. That was good enough for most people.
(Late in the week, the BBC actually changed tack, and introduced a new ‘explicit consent’ approach. Thankfully, most of my contacts had bought into ‘implicit consent’ by then.)
And then, outrageously late in the day – a scorching hot leave-work-early Friday at that, the ICO cracked.
Posting on their corporate blog, Dave Evans announced that their guidance had been updated to ‘clarify’ that implicit consent was a valid form of consent, as long as you were ‘satisfied that users understand that their actions will result in cookies being set.’ In other words, implicit consent with appropriate information was absolutely fine.
It was the only sensible outcome. Constant popups or warning banners would have killed the concept of cookies, which are used – in the vast majority of cases – to make things easier for users. It would have undermined most websites’ traffic analysis. And besides, with third-party services from sharing to embedding now common on every web page, I’m not convinced any technology could have successfully blocked every attempt to drop cookies anyway.
Common sense would seem to have prevailed. Hurrah. But I’m sure a lot of people are less than happy at the ICO’s handling of this.