The ICO has updated and expanded its guidance on compliance with the cookie consent rules. The document also clarifies the ICO's enforcement stance, reiterating the need for websites to show they have a sensible action plan for achieving compliance by May 2012 when the "lead in" period expires.
As reported on our Datonomy blog on 13 December, the ICO has published updated guidance and a "half term report" on UK websites' compliance performance. The requirement for consent to cookies came into force in May 2011 and the ICO's enforcement "amnesty" runs until May 2012. This is to allow businesses to develop, in the words of the Commissioner, "good solutions rather than rushed ones". See our previous coverage for the background to the new rules.
The new 26 page guidance note replaces the version we reported on in May here. At two and a half times the length, it provides far more developed and detailed guidance on:conducting cookie audits; providing information about cookies; and obtaining consent
This reflects many of the insights given informally by Dave Evans of the ICO when he spoke at Olswang's cookie round table event back in July.
Building on the types of consent mechanisms outlined in the May guidance, the new version also provides more practical illustrations of potential consent mechanisms, including: footer bars, terms and conditions; settings led and feature led consent – and even plays devil's advocate for the much maligned pop up.
There is not much additional guidance on third party cookies, other than reiterating the ICO's view that "everyone has their part to play" in making sure users are aware of what information is being collected and by whom. Website owners are urged to "do everything they can" to allow users to make informed choices about third party cookies.
On the issue of likely enforcement action once the amnesty expires next year, there are no real surprises. The key points are that businesses need to show:sensible, measured action to move to compliance; if full compliance cannot be achieved by May 2012, a specific and clear explanation of why, a clear timescale for compliance and details of specific work being done.
One illustration given is that where full compliance is delayed due to cookies being embedded in existing software, the ICO would expect upgrade costs and timescales to be weighed up against the intrusiveness of the particular cookies, length of upgrade cycles etc. Cost factors alone would not justify delayed compliance. The guidance reiterates that waiting for a browsers solution to emerge in future will not suffice.
For questions about compliance with the cookie consent rules, please contact Olswang Partner Iain Stansfield firstname.lastname@example.org