UK’s new cookie law came into effect Sunday

Visitors to the BBC may have spotted a new notice across the top of the screen: “We use cookies... If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the BBC website. However, if you would like to, you can change your cookie settings at any time.” This is to ensure conformance to the new UK cookie law. It is hardly the unambiguous ‘opt-in’ advocated by privacy activists and the EU itself, but it does, strictly speaking, conform to the ambiguous requirement for ‘informed consent’. More specifically, it conforms to the guidance given by the UK’s Information Commissioner: “Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.”

The approach to the cookie law taken by the BBC is to inform (“we use cookies”) and to assume implied consent (“we'll assume that you are happy”) if the user doesn’t actively block the cookies. The ICO itself is less ambiguous: “The ICO would like to place cookies on your computer... [] I accept cookies from this site.” Of course the ICO site is essentially an information site with nothing like the complexity of the BBC; and in terms of cookies, the BBC has nothing like the complexity of an online business – such as Tesco which simply would not function without them.

Tesco, noticeably has no cookie banner on the front page. It has a link to its cookie policy; all 6 A4 pages and 1700+ word description. It is hard to see how a statement of policy can be seen as the users’ informed consent; although semantically the home page link and explanation could be argued to provide ‘implied’ consent.

The problem is ambiguity, both in the law and in the ICO’s attitude towards the law. ICO Christopher Graham has said, there will be no “wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there.” But he added, “if you have decided that this is all too difficult... that you will get around the law by wilfully misleading people...  then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.”

So for the moment, compliance with the new UK cookie law implies the ability to persuade the ICO that you will be doing something, and not necessarily that you have already done something. This will be a good thing for the UK government. “Last week the government admitted that most of its sites would not comply with the new rules in time. It said it was 'working to achieve compliance at the earliest possible date',” says the BBC.


What’s Hot on Infosecurity Magazine?