UK websites can assume implied consent over EU cookie legislation

Recently Chris Scott (our MD at Headscape) outlined his understanding of how the European Union’s legislation over cookies are going to be enforced in the UK.

The post confused some because Chris’ recommendations didn’t seem to fulfill the European Union legislation. That was because the Information Commissioner’s Office here in the UK was talking in more consilitory tones than that laid out in the legislation itself. Although unofficial, the ICO appeared to recognise the challenges of the legislation and was trying to work constructively with website owners to comply.

However, with only 48 hours to go until the legislation was enforced, the ICO formalised their position according to the Guardian newspaper.

Implied consent

According to the Guardian, UK website owners can now presume “implied consent” if users visit a UK website and continue to use it after being informed about the cookies in operation on the site.

As the Guardian writes:

The use of “implied consent” shifts responsibility to the user rather than the website operator, and will come as a relief to thousands of website operators who have been struggling to comply with new EU directives…;

With the ICO’s position confirmed in black and white, UK websites can breath easier and be confident in implementing the position Chris outlined in his previous post.


  • jaz_design

    The ICO actually posted on Friday to confirm the implied consent thing –

    “Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. If you are relying on implied consent you need to be satisfied
    that your users understand that their actions will result in cookies
    being set.  Without this understanding you do not have their informed
    consent. You should not rely on the fact that users might have read a
    privacy policy that is perhaps hard to find or difficult to understand.”

    There’s a PDF on that link as well which outlines it somewhat better than it did before. :)

  • Paul Morriss

    I don’t agree with the Guardian’s analysis. In the quote that jaz_design gives it says “…you need to be satisfied…”. So the onus is on the website owner to make a judgement about the technical level of the user, and the wording you’ve used. It means that if you use implied consent you can’t be sure that you’d be OK, because the ICO might disagree with your judgement. So you can do something and you’re probably OK, but if you really want to be sure you have to go for explicit consent, i.e. annoying popup.

  • chronicler_Isiah

    I don’t think anyone was ‘confused’ by Chris’ post exactly – merely  that it wasn’t properly followiing the letter of the directive. Whatever folks think the law is is a different proposition entirely from what the words actually tell us.

    As it is the ICO seems to have changed its own mind on this, as implied consent was quite clearly (at that time) NOT a way to meet full compliance:

    “At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent.” [- from the ICO Version 2, 13 December 2011 guide.]

  • Karl Craig-West

    I rest my case!!!
    I knew that the ICO knew that this Euro legislation (which many believe is only a swipe at Google anyway) was going to be totally unenforceable.
    Viva Common Sense!!!