New detailed guidance for marketers released by the Information Commissioner (ICO)
As of 27th May 2012, the new "cookie law" which is part of the 2011 amendment to the Privacy and Electronic Communications Regulation 2011 is now in force. There was a dramatic change in guidance from the ICO just before the new law came into force stating that "implicit consent" is the main requirement now. If you're involved with managing websites we recommend you download the new PDF from the ICO, read our short summary below or read the Guardian announcement.
In a separate post we've taken a look at examples of how UK companies are complying with the UK cookie law.
Summary of 25th May 2012 recommendation from the ICO download
The big change in Version 3 of this document is the additional detailed guidance on implied consent. The previous guidance in December 2011 explained that "implied consent" wasn't acceptable and explicit opt-in was required:
In a softening of the stance from the ICO in May 2012 just before the law was introduced it seems that implied consent is acceptable:
The next page in the new guidance shows how implied consent can work - moving from one-page to another where there is a prominent message "above-the-fold" can be taken as implicit consent:
We think this implementation on The Guardian is a good example. Some cookies are initially placed and this message is removed and additional cookies are placed when the user navigates to another page. We think this is compliant under "implied consent" and it doesn't interfere with user experience:
So overall, we think the new guidance is positive for marketers since it acknowledges the practicalities of implementing changes given that existing technology serves cookies and users often won't click to give explicit consent.
18th May 2012 recommendations
David Smith, deputy commissioner of the ICO recently announced clarification of what is required from UK businesses at a press conference and gave details on the action they will take. In summary, Smith explained these steps the ICO will be taking:
- Evidence of taking action is most important, for example: completing a cookie audit, making an action plan and updating privacy statements so they are clear
- No immediate fines are planned - evidence of taking action is most important
- Sites outside the EU such as Facebook, Google and other businesses don't need to comply.
Our summary of the detailed December 2012 cookie guidance
Through 2011 we have written updates on this new privacy law, specifically how it affects cookie use on websites and how it affects analytics - that post showed an alarming drop in recorded visits when cookie opt-in was implemented by the ICO. The guidance when the law was initially introduced was limited, so with the grace period not so far off now in May 2012, the new much more detailed guidance is welcome and it is much clearer. I’ve picked out 4 of the main things which are important:
1. You must obtain consent for cookies
Note that many still don’t adhere to the original 2003 PECR law…
2. There are exceptions
Exceptions on the left may help retailers, but opt-in to analytics and third-party advertising is required and there is no current general method for this - these cookies operate under opt-out currently.
3. Browser settings don’t help
We blogged in November that the new W3C Browser settings could help with compliance for this law. But unfortunately not…
4. Review the implementation example
Wireframes with ideas on implementation are now provided. It seems that pop-ups or footer bars may be the most practical option with the ICO suggesting that cookies could be set on the second page view - that’s easily said - not so easy to implement in practice since most sites and analytics set cookies on the first page view.
Here, for reference is the full guidance published in the ICO post:
Marketing implications of the new guidance
The date to be aware of is 26th May 2012 however the information commissioner has said in a recent blog post that:
“There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there”.
So there is not a threat of legal action if you are following the advice to achieve compliance. Interpreting the guidance, this suggests that by this date you should have:
- Implemented or be working on implementing a method of offering opt-in to cookies.
Of course 1 and 2 are relatively straightforward, it is 3 that is challenging! Here you are very dependent on integration with third-party systems - cookies are essential for offering login.
We’d be interested to hear about solutions to 3 that are available or you are working on as a client or a vendor/agency.