Marketers are facing a major new threat to how they gather online data, amid fears that so-called “implied consent” for cookies is now illegal, forcing them to obtain explicit consent from website users to use their information.
Website cookies drive the entire online ecosystem, from advertising and analytics to personalised content and security. When the cookie law was first introduced in 2012, the Information Commissioner’s Office was adamant that explicit consent – which requires users to tick a consent box before proceeding – was the best practice. It even sent out stiff warnings to brands to comply or else.
But within a year it had softened its stance to rule that implied consent was allowed, which just requires a simple statement on the site, with a link to advice on how to stop cookies.
However, a fortnight ago, the ICO was forced to admit that its own website – which used implied consent to gather user data – was in fact in breach of GDPR. It followed a complaint that the regulator was in breach of Article 6 of PECR – the electronic marketing law – which prohibits the storage of, or access to, information held on a user’s device unless explicit consent is given. The complainant argued that because the ICO’s cookies were used automatically, users were unable to reject their use.
Mishcon de Reya commercial and data protection partner Adam Rose even claimed the ICO had been in breach of cookie law ever since it was passed.
The regulator has now updated its website so its cookies comply with GDPR, although the changes hardly went smoothly. Late last week, the site was taken offline for hours to fix what the regulator called “technical issues”.
When contacted by Decision Marketing, the ICO refused to comment on why it had taken so long to rewrite its cookie guidance or whether there was likely to be a radical change away from implied consent. It also declined to answer our questions over how long companies will get to implement any changes.
A spokesperson simply referred us to a statement, which reads: “As the regulator, we have been developing our position on the complex issue of compliance with the new GDPR standard of consent on cookies, including the changes we have now made to our own website.
“Once we have produced our guidance, we expect all data controllers to take steps to comply. This guidance is expected to be published next week.”
One industry source said: “The ICO will be opening up a can of worms if they revert to explicit consent. For instance, what about all the historical data companies hold – will that suddenly be classed as illegal? If so, how will the ICO enforce that?
“Are you seriously telling me that having been caught with its own trousers down, it will now be gunning for firms which have been following its own advice for years?”
ICO fingered for breaching GDPR over cookie cock-up
ICO ‘failings’ exposed as most probes come to nothing
ICO reveals it has 10,000 data breach cases to probe
‘GDPR experts’ in the dock over dubious legal advice
Have companies done enough to comply with GDPR?
ICO demands shake-up of unworkable EU cookie law
‘Simple’ cookies consent now rules
Top UK sites get cookie ultimatum