ICO criticised for last-minute changes to cookie law

The ICO has come under fire for updating its policy on the newly-enforced cookie law at the last minute

The Information Commissioner's Office (ICO) has come under fire for updating its policy on the newly-enforced cookie law at the last minute.

The cookie law – which requires consent to store information on websites users – was enforced from Saturday, a day after the ICO published new guidelines for website owners.

The regulation of the use of cookies, which also requires sites to provide clear and comprehensive information about the use of cookies, derives from an amendment to the EU's Privacy and Electronic Communications Directive.

The directive and related UK law came into force on 26 May 2011, but the ICO gave businesses 12 months to comply with the law.

The main change in the last-minute update is a new and much-expanded section on "implied consent". The ICO had previously said implied consent was unlikely to work.

The new guidelines state that implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.

This is a striking shift in how the ICO said it will tackle compliance, said Stephen Groom, head of marketing and privacy Law at law firm Osborne Clarke.

"Just six months ago the ICO said general awareness of the functions and use of cookies was simply not high enough for websites to look to rely entirely in the first instance on implied consent, but now it tells us, 'Implied consent has always been a reasonable proposition in the context of data protection law’ and that it remains so in the context of storage of information or access to information using cookies and similar devices," he said.

Although this new, pragmatic approach is more business-friendly, said Groom, it would have been good to have had earlier visibility of this dramatic change.

"It also remains to be seen whether this puts the UK out of step with Brussels and most other EU states," he said.

However, David Evans, the strategic liaison group manager at the ICO, said in a blog post on the updated guidelines that website owners relying on implied consent need to be satisfied that users understand that their actions will result in cookies being set.

"Without this understanding you do not have their informed consent," he said.

Evans said sites should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.

"In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate," he said.

Although the ICO has indicated it is unlikely to impose monetary penalties, it does expect website owners to get their house in order and will issue enforcement notices where necessary.

This means most UK businesses and government departments with websites will have to act quickly to ensure that they at least have a compliance plan in place to show the ICO, should it come calling.

Read more on Privacy and data protection