Monday 28th May 2012 by Rich Saddington

As the compliance deadline of the amended Privacy and Electronic Communication Regulations (PECR) Act 2011 approached, the general consensus has been one of wait and see what other people do before implementing an opt-in consent mechanism.

For agencies and clients this has been a case of getting to grips with the law and understanding the impact it has on their websites. Time has been invested in researching and developing solutions that fit within the law and minimise the impact on users. Due to the detrimental affect on analytics and advertising website owners have been holding off implementing the solution until the last possible moment.

At the 11th hour the ICO have amended the law, and implied consent is now considered a valid form of cookie acceptance. One key paragraph of the update reads: "Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation" which very much feels like backtracking on the previous iteration where opt-in was the only viable solution for compliance.

Read the full amended guidelines (PDF)

What does this mean?

This change in the law shifts responsibility from the website owner to the user. Websites can set cookies as long as they notify users that they are doing so and are no longer required to give users an accept or opt-in mechanism. Google analytics and advertising cookies can now be set as long as an opt-out mechanism is provided and is clearly accessible.

What does implied consent look like?

A number of sites have already implmented solutions in line with this approach.

The BBC have just updated their approach to a single notification banner that appears on your first visit to any page on the site, clicking continue or continuing to browse the site forces an opt-in. To opt-out requires a visit to their cookie settings page where you can toggle cookie settings.

BT's approach allows you to opt-out from within their popup after notifying users that the default setting is to "allow all cookies". The "No, thanks" acts as an opt-out and prevents future cookies from being set. The popup is displayed for 5 seconds and then disappears completely.

HSBC have implemented a simple notification that displays for the first 3 page views and then disappears.

 

Our Updated Recommendations

Having reviewed the changes in the law, we've updated our recommendations towards compliance:

1) Perform an cookie audit to identify all the cookies your site uses.

2) Remove any unnecessary cookies from the site. For example use Youtubes non-cookie domain or switch to less intrusive social bookmarking and sharing tools.

3) List all the cookies in your privacy policy, include first and third party cookies. Also include links to any cookie policies for third party tools and services being used on your site.

4) Make the link to your updated privacy policy prominent. Rename to "Privacy and Cookies" to make it really clear and easy to find.

5) Implement a simple notification to let users know cookies will be set and link to cookie settings

6) Implement a cookie settings page where users can opt-out of receiving cookies.

 

Our Cookie Solution

In light of this update to the law we're reviewing our cookie solution, expect an update from us on this soon.