Just before we reached the EU cookie law ‘deadline’ on May 26, the ICO issued updated guidance for compliance, which expanded on the notion of implied consent. 

This was met with anger by some who saw this as a last minute changing of the goalposts, so I caught up with the ICO’s Dave Evans to ask about this. 

He also talks about how the Information Commissioner will judge the ‘success’ of its implementation of the EU e-Privacy directive and why sites should be open with users. 

What has changed in the updated guidance released at the end of May? 

We always said the guidance wasn’t a tablet of stone, and the 2011 version was never intended to be the final word. This iteration, which will not be the last, expanded on the implied consent section. It has always been a valid form of consent.  

A year ago, people were talking about it as if implied consent meant not doing anything. It doesn’t mean this, but it can be a valid way to comply. 

There are things you can do to ensure that you are gaining valid consent. For example, if sites make it clear that they are using cookies, and continued use of the site means that you are accepting this, then this is a valid approach. 

It doesn’t have to intrude on the user experience, and a lot of sites I have seen are getting the message across without putting obstacles in front of users. 

There was much anger from websites and developers at the perceived moving of the goalposts with this updated guidance. How do you respond to that? 

We haven’t changed the rules, it’s the same as it was 12 months ago. All we have done is to give a bit more detail within the guidance. I think a lot of people have assumed that you must get opt-in consent by the guideline or the ICO will come and get you, but this is not our approach. 

Does this mean implied consent is now acceptable for all types of cookies? 

If sites are doing something different from the norm with cookies, perhaps using consumer data in a way that some would worry about, then maybe warnings need to be clearer. 

As far as I can tell, very few e-commerce sites have done much about this. John Lewis and others have made cookie policies more prominent and linked to detail on cookies – is this enough in your view? 

I think in many cases, this is the first stage of a longer-term plan for compliance, and not the end of the road.

Also, many smaller retailers may rely on the work that the bigger, more visible e-commerce sites are doing to educate customers about cookies. 

These smaller businesses could take a softer line as the education work has already been done i.e. as users are used to the fact that sites like the BBC and John Lewis set cookies, they expect it from every site.  

Should they list cookies in detail? 

This depends. The main point to get across is why cookies are being used, for analytics or whatever, I think most web users just want to be reassured that nothing untoward is going on. This is more important than listing the different types of cookies in detail.  

I think many web users haven’t a clue about what cookies sites use, and many are simply not interested. 

If the aim of the e-Privacy Directive and its implementation in the UK is to raise awareness of privacy issues surrounding the use of data by websites, how will you judge whether or not this has been successful? 

We’ll be looking at the feedback and complaints we receive from web users, for example, if there are any particular issues in individual sectors that raise cause for concern. This feedback will tell us how serious an issue this is for web users. If there are relatively small numbers of people complaining, there may be no need for further action. 

However, if there are concerns about organisations which have taken a softer approach, then we would expect the, to go further. The proof of the pudding will be how consumers continue to use websites. If they see cookie information, know where to find it if the need it, and carry on using sites as normal, then there ,may be no issue. 

If there is no compulsion to comply, and websites can simply wait for letter/consumer complaints before they have to take action, why should they bother to comply? 

If you think you have to do something, why not take this action and make it fit in with your plans rather than wait for the ICO to tell you? 

Waiting for that letter from the ICO is not a good idea. The solution we agree with you may not be as good as one you could have volunteered yourself. Also, the more people get used to seeing information about privacy and cookies on the sites they visit, the more it becomes easier to spot the websites that have done nothing. 

Customers may wonder: what are they not telling me? Do they have something to hide? 

I think there are benefits to being open with consumers, and they are more likely to trust sites that take this approach. The directive does present a challenge for online business, but it’s also an opportunity to be more upfront with users.