Implied Consent is Bad for Visitors

Since the latest guidance on complying with the cookie law in the UK was published by the ICO in December there has been a lot of talk about ‘implied consent’. 

We touched on this issue in a blog post at the time, but since then there have been quite a few people latching on to and promoting this idea in the belief that it enables less change to be made to a site and a less intrusive user experience. 

However we believe that in practice the opposite is true, certainly when considering the user experience.

The idea of implied consent is that if someone visits a website and they are given a notice about use of cookies which they ignore and continue to browse, then this can be interpreted as consent and the site can then continue to use cookies.

This sounds attractive because it means little change to the current status quo.  However if you look at this idea more deeply, problems emerge.

The definition of consent as applied to the law is that it is a ‘freely given specific and informed indication of wishes’. Therefore, in order for continued browsing to be seen as consent the website will need to give notice on every landing page about the use of cookies.  It will also need to give notice in a way that it can be guaranteed that the visitor will see it before they continue; otherwise their ‘consent’ will not be informed.

The ICO makes this clear in the latest guidance:

A reliance on implied consent in any context must be based on a definite shared understanding of what is going to happen – in this situation a user has a full understanding of the fact that cookies will be set, is clear about what cookies do and signifies their agreement.

So either the notice would have to overlay all links, which effectively means the whole page, or links would have to be disabled, until the visitor has given their indication that they are happy to continue – by clicking to remove the message.

The website would then set a cookie to record that the visitor had seen the message, so that subsequent page views would not show it again.

This is fundamentally the same effective user experience as an opt-in consent approach, with one significant difference:  it is much more immediately intrusive on the web experience.  As a result of which it is consequently likely to lose a site many more visitors.  Even if they can be all tracked, the site has just lost massive value.

The alternative, opt-in model is like this:

A user lands on a page and is presented with a cookie-less experience.  Depending on how much reliance on cookies the page has, it might look almost exactly the same as a with-cookies experience.

Somewhere on the page is a notice about cookies, and a request for consent.  It could be prominent or discrete, depending on the site.  If the user gives consent – then with-cookies content can be loaded in.  If not then the user browses, but as soon as they try to interact with cookie reliant content, they can be reminded of the need to consent so it can be switched on.

This is a much less user-intrusive approach to gaining consent, and therefore a better visitor experience – which is what ultimately everybody is looking to achieve.

This works well for the user as it gives them a least-possible disruption experience by default, rather than the forced-maximum disruption required in order to be sure that consent can be reliably implied.  Even though it becomes more difficult to track each visit (not impossible), the site still retains the majority of visits, and therefore its actual value.

The question then becomes clear:  Would you rather have more visitors you can’t track as accurately, or many fewer that you can?