Privacy Advisor

UK—ICO Uses Implied Consent for its Website Cookies

March 1, 2013


By Brian Davidson, CIPP/E

The ICO has announced that it is no longer seeking explicit consent from users for the serving of cookies via its website, instead relying on implied consent.

In a 31 January statement, the ICO said that it made the change in order to “get reliable information to make our website better.”

Amendments to the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in May 2011 require that, with the exception of “strictly necessary” cookies, website operators have to obtain consent from users in order to serve cookies on their devices. As a result, the ICO initially sought users' explicit consent, citing a lack of user- and website-operator awareness about cookies and what they were used for. However, the ICO now considers that, through its own awareness-raising activities and the steps taken by other website operators to comply with the law, implied consent will suffice going forward.

The key changes are:

  • Cookies set on arrival at ICO website;
  • New cookie banner explaining that the website uses cookies, cookies have been set by the website and that users can change their settings or continue to use the site;
  • A separate cookies "page"—from the website privacy notice—to increase prominence of the information, and
  • Users given clear, detailed information about the cookies set, how to manage them and new buttons to allow users to delete or allow "non-essential" cookies.

Brian Davidson, CIPP/E is a privacy and information advisor at Field Fisher Waterhouse, LLP.