ICO reverts from asking for consent to merely stating cookies are used.
The decision by the Information Commissioner's Office (ICO) to stop asking for explicit permission to serve cookies has been cited as the death of the cookie law. In a blog post, Silktide MD Oliver Emberton cited the ICO's policy changes, saying that the law is “dead at last”.
The ICO is responsible for policing the UK’s cookie law and claims the new rule change remains consistent with its own guidelines. The ICO adds that people are now more aware of cookies. Therefore, it's “appropriate [to] rely on a responsible implementation of implied consent”. We spoke to Emberton about the law and the ICO’s new direction regarding cookies.
CB: So does this new advice mean the law is effectively dead and the industry and clients have wasted piles of money on a pointless episode?
OE: Pretty much. All the complex solutions, which actually blocked certain cookies and so forth, were a waste. The panic, meetings and audits were certainly a waste. The people who simply put a cookie page up apparently did the right thing.
CB: But does the ICO’s change mean the law is officially dead, or will the ICO change its mind again, and go after web devs who don’t display massive cookie banners asking for consent?
OE: I'm 99.9 per cent sure. We know the regulator's website will be using opt-in, a decision I'm sure they didn't take lightly. We know they say that this approach is legal — now — because "many more people are [now] aware of cookies". We know that they're glacially slow to react, and have been exceedingly light-touch in enforcement, writing a handful of letters to Google, Facebook, and so on, congratulating them for having cookie pages. I think it's clear at this point they've no appetite for the law they've been asked to enforce.
CB: So what would you now recommend devs and designers do regarding cookies?
OE: We now know the ICO audit process is purely ‘visual’, judging websites based entirely on whether they look like they're complying. There's no inspection of cookies, or code, or what the site does. Presumably such an audit hasn't a clue about, say, Facebook using cookies in its Like buttons. All they're looking for is something like a cookie banner or link to a cookie page.
So my advice is to create a cookie page that explains what cookies you use (like everyone did back in 2009), and link to that in your footer. If complaints became a problem, the ICO would write politely to you, and you may make your link more prominent. It's a farce, but that seems to be all they're looking for.