Just before we reached the EU cookie law 'deadline' on May 26, the ICO issued updated guidance for compliance, which expanded on the notion of implied consent. 

This was met with anger by some who saw this as a last minute changing of the goalposts, so I caught up with the ICO's Dave Evans to ask about this. 

He also talks about how the Information Commissioner will judge the 'success' of its implementation of the EU e-Privacy directive and why sites should be open with users. 

What has changed in the updated guidance released at the end of May? 

We always said the guidance wasn’t a tablet of stone, and the 2011 version was never intended to be the final word. This iteration, which will not be the last, expanded on the implied consent section. It has always been a valid form of consent.  

A year ago, people were talking about it as if implied consent meant not doing anything. It doesn’t mean this, but it can be a valid way to comply. 

There are things you can do to ensure that you are gaining valid consent. For example, if sites make it clear that they are using cookies, and continued use of the site means that you are accepting this, then this is a valid approach. 

It doesn’t have to intrude on the user experience, and a lot of sites I have seen are getting the message across without putting obstacles in front of users. 

There was much anger from websites and developers at the perceived moving of the goalposts with this updated guidance. How do you respond to that? 

We haven’t changed the rules, it’s the same as it was 12 months ago. All we have done is to give a bit more detail within the guidance. I think a lot of people have assumed that you must get opt-in consent by the guideline or the ICO will come and get you, but this is not our approach. 

Does this mean implied consent is now acceptable for all types of cookies? 

If sites are doing something different from the norm with cookies, perhaps using consumer data in a way that some would worry about, then maybe warnings need to be clearer. 

As far as I can tell, very few e-commerce sites have done much about this. John Lewis and others have made cookie policies more prominent and linked to detail on cookies - is this enough in your view? 

I think in many cases, this is the first stage of a longer-term plan for compliance, and not the end of the road.

Also, many smaller retailers may rely on the work that the bigger, more visible e-commerce sites are doing to educate customers about cookies. 

These smaller businesses could take a softer line as the education work has already been done i.e. as users are used to the fact that sites like the BBC and John Lewis set cookies, they expect it from every site.  

Should they list cookies in detail? 

This depends. The main point to get across is why cookies are being used, for analytics or whatever, I think most web users just want to be reassured that nothing untoward is going on. This is more important than listing the different types of cookies in detail.  

I think many web users haven’t a clue about what cookies sites use, and many are simply not interested. 

If the aim of the e-Privacy Directive and its implementation in the UK is to raise awareness of privacy issues surrounding the use of data by websites, how will you judge whether or not this has been successful? 

We’ll be looking at the feedback and complaints we receive from web users, for example, if there are any particular issues in individual sectors that raise cause for concern. This feedback will tell us how serious an issue this is for web users. If there are relatively small numbers of people complaining, there may be no need for further action. 

However, if there are concerns about organisations which have taken a softer approach, then we would expect the, to go further. The proof of the pudding will be how consumers continue to use websites. If they see cookie information, know where to find it if the need it, and carry on using sites as normal, then there ,may be no issue. 

If there is no compulsion to comply, and websites can simply wait for letter/consumer complaints before they have to take action, why should they bother to comply? 

If you think you have to do something, why not take this action and make it fit in with your plans rather than wait for the ICO to tell you? 

Waiting for that letter from the ICO is not a good idea. The solution we agree with you may not be as good as one you could have volunteered yourself. Also, the more people get used to seeing information about privacy and cookies on the sites they visit, the more it becomes easier to spot the websites that have done nothing. 

Customers may wonder: what are they not telling me? Do they have something to hide? 

I think there are benefits to being open with consumers, and they are more likely to trust sites that take this approach. The directive does present a challenge for online business, but it’s also an opportunity to be more upfront with users. 

Graham Charlton

Published 6 June, 2012 by Graham Charlton

Graham Charlton is editor in chief at SaleCycle, and former editor at Econsultancy. Follow him on Twitter or connect via Linkedin.

2566 more posts from this author

You might be interested in

Comments (9)

Save or Cancel

Tyler Vautier

What a joke.

This has to be the most misguided attempt at controlling the internet ever.

The most distressing part is that 99.99% of all websites use cookies to provide their users with a better experience. Whether this is showing them relevant ads and products or using analytics to identify problem areas of the site and create a better customer experience.

Aside from that, the ICO doesn't have the resources needed to police all of the UK's sites. In my mind, it's best to sit back and wait for a letter. A letter that won't show because any decent e-commerce site already lays out to customers how cookies are used and how their data is protected.

about 6 years ago


Amy Nicholson, Head of Editorial Client Services at Sticky Content

We’ve worked with lots of our clients on their cookie policy messaging. While I appreciate that as Dave says, this issue of implied consent vs informed consent hasn’t, from his point of view, changed, it’s not hard to see why some people reacted with anger to the latest update.

The guidance from Dec 2011 is a 27-page document, which repeats phrases like “must obtain their consent”, “valid, well-informed consent” and “informed choice” throughout. To my mind, implied consent is not informed, and what would have been helpful is a more succinct explanation of consent and how you can gauge whether or not you’ve got it.

The best message to take from this is that educating web users in standard web practices and operating with transparent processes around function and data collection will only lead to a better web experience.

Speaking to your users with transparency and clarity should be the norm, not the exception. Perhaps this is something the ICO may wish to consider for the future?

about 6 years ago

Mark Chapman

Mark Chapman, Director at the eConsultant

The ICO seems to be trying to cover up a multitude of poor communications in recent months. And the ICO still doesn't get it... the Web, the digital industry etc, when they wander about the media and any outlet that will allow them to speak threatening everyone.

At one point, government sites' non-compliance was considered ok while commercial sites were still being threatened. I'm not sure that is still the case isn't it?

So that's one law for the bullying legislators, and another for those creating wealth for this country. Important to stand up to this legislative bullying.

It is not the mark of civilised government to threaten law-abiding citizens with legal action, penalties, huge fines etc (presumably imprisonment too). This type of law-making comes across as dictatorial and also paranoid.

Digital practitioners and the world of commerce do not need a government quango to tell them, like children, to do what they're told.

The core message the ICO, and the Law, should focus on is that - from a customer and company / organisation perspective - abusing customers' data and privacy is the issue, not the humble innocent cookies used daily across the Web which, let's be honest, just ensure website visitors have a decent experience.

There is, it seems, an issue about best reassuring website visitors so they better trust a company's / organisation's online operations - but that applies offline too.

Digital and traditional business / organisation leaders and their teams need to work to develop more trust. Business can grow through trust.


about 6 years ago


Kevin Nutsford

What a complete and utter waste of time for companies and web developers.

The legislation has always been so unclear and open to interpretation that surely that any case of ICO actually trying to fine a company £500,000 just would not stand up in court.

It's not about moving the goalposts. The problem is that nobody has really known where the goalposts were in the first place!

about 6 years ago

Graham Charlton

Graham Charlton, Editor in Chief at SaleCycle

@Kevin - I'd be amazed if any site was ever fined for this.

about 6 years ago

Mark Chapman

Mark Chapman, Director at the eConsultant

The ICO was on BBC this morning. Did anyone hear him? Should be in the Today programme recording here (although it's not online yet as i type; imagine it's being prepared) - http://www.bbc.co.uk/iplayer/radio/bbc_radio_four/20120608

about 6 years ago


Si Wilkins

This reasonable language from the ICO would be fine if it wasn't so far opposite from everything they said in the run-up to the deadline.

about 6 years ago

Mark Chapman

Mark Chapman, Director at the eConsultant

There have been quite a few strands to this issue. A major one is the cost and sheer hassle to business and other organisations implementing this law in these very difficult and hard economic times.

Commercial enterprises are working to generate wealth and pay themselves - as well as pay taxes.

And then along comes this extra burden, being driven by politics in some way.

The EU and the Government really need to look at their processes; why harm business at this time? Are consumers being greatly harmed at present?

Another key issue at this time is why was there no attempt to allow the digital industry to self-regulate? Just come along, bang out a law, then threaten everyone everywhere with legal action. Charming.

To adapt Winston Churchill: "Never has so much been written about something so little of relatively little interest to so many."

(Or so we thought... until now.)

about 6 years ago




Good article, thanks. I have developed a few websites and am considering the best approach to obtaining 'implied consent' from my visitors.

I only use user value enhancing cookies like Analytics, but is it really necessary to have a pop-up window at all (either just mentioning the fact that cookies are being used, or with an opt-in/out button), when the majority of sites merely expanding their cookie info pages?

If not, then the concern for web developers is whether another amendment will come in soon stating that all websites must have a pop-up of some kind. It's hard to know whether to say to clients they should have a pop-up now and charge them accordingly, or just create a new cookie page and hope that will be sufficient for the future.

Any help with the question above would be really appreciated.

almost 6 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.