The Information Commissioner's Office (ICO) has come under fire for updating its policy on the newly-enforced cookie law at the last minute.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The directive and related UK law came into force on 26 May 2011, but the ICO gave businesses 12 months to comply with the law.
The main change in the last-minute update is a new and much-expanded section on "implied consent". The ICO had previously said implied consent was unlikely to work.
The new guidelines state that implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
This is a striking shift in how the ICO said it will tackle compliance, said Stephen Groom, head of marketing and privacy Law at law firm Osborne Clarke.
Although this new, pragmatic approach is more business-friendly, said Groom, it would have been good to have had earlier visibility of this dramatic change.
"It also remains to be seen whether this puts the UK out of step with Brussels and most other EU states," he said.
However, David Evans, the strategic liaison group manager at the ICO, said in a blog post on the updated guidelines that website owners relying on implied consent need to be satisfied that users understand that their actions will result in cookies being set.
"Without this understanding you do not have their informed consent," he said.
"In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate," he said.
Although the ICO has indicated it is unlikely to impose monetary penalties, it does expect website owners to get their house in order and will issue enforcement notices where necessary.