ICO Publishes Updated Cookie Law Guidance

The ICO has published its much anticipated half-term report along with updated guidance on complying with the cookie law in the UK.

Christopher Graham’s blog post that accompanied the new guidance will not make comfortable reading for some but there were a number of key messages coming across.

When commenting on the industry as a whole he turned to the old school report favourites of ‘must try harder’ and ‘could do better’. 

There is an acknowledgement here that not only have a lot of people stuck their heads in the sand, but many have been actively complaining and campaigning against the law.  It seems clear to me that he is not impressed with such activity, nor will the implementation plan for enforcement be swayed by it.

The ICO is making it clear that they know compliance is possible, and why they cannot endorse specific products and services – they are well aware of what is available.

We do like to think that when he talks about ‘comprehensive cookie management tools for webmasters’, he is talking about our work which we have shared with them.

The guidance also makes some clear statements about a number of other issues that have been argued over.

Although the law does not specify that consent should be given ‘prior’ to the setting of cookies, the guidance supports the opinion of the Article 29 Working Party that agrement to an action after is has taken place, is not true consent.

They also state that consent cannot really be implied given the level of understanding in the public about cookies.  This would appear to mean that the kind of mesage that says ‘we are using cookies, but you can opt-out of them’, such as the IAB self-regulation model for advertisers, does not fit the bill in its own right.

On the issue of browser settings I think the position is also clear:

“At present, most browser settings are not sophisticated enough…For now relying solely on browser settings will not be sufficient and even when browser options are improved it is likely that not all website visitors will instantly have the most up-to-date browser…”

On enforcement of the law after May 2012 the message is also clear.  The ICO are not expecting ‘perfect compliance’ but they expect people to be working towards it, and demonstrating that they are doing so.  Those that are not are the ones that will be dealt with more harshly.  As he says:

“If your website uses cookies and you are not doing anything to get consent then you are not compliant.”

It is difficult to be clearer than that I think.