If you sit very quietly today and listen for a moment you’ll be able to hear a noise. That noise is the sound of thousands of website owners throughout the UK saying “Phew!”

Why are they saying that? It is because today the ICO has (finally) put in writing that you are allowed implied consent on tracking cookies, rather than having to do complete opt-in:

“It is clearly the case that the majority of websites undertake some form of analytics activity and most of those will use cookies to facilitate some if not all of that activity. The Information Commissioner recognises that gaining explicit opt-in consent for analytics cookies is difficult and that implied consent might be the most practical and user-friendly option. In light of this, website operators, developers and analytics vendors need to recognise that while analytics are, for them, an integral and entirely ordinary part of how the web has developed, for users the picture is rather less clear.” (ICO’s Guidance on the rules on use of cookies and similar technologies, May 2012)

Blue Latitude has commented on the process as it has evolved previously. In June last year when the new law was announced we said:

“The right to privacy for an individual is deeply important and the use of personal data must be regulated. The directive fails to do this, it just meddles with some of the key building blocks that underpin how businesses build customer relationships online.”

We also suggested that the law showed “a real disregard for how many businesses gain intelligence on their marketing performance.” After the ICO showed that their opt in had caused a 90% drop in reported visits.

In January this year we revisited the issue to see if the ‘strictly necessary’ option following consultation with the International Chamber Of Commerce where the ICO suggested that their opt in approach was overly heavy handed, and whether lighter approaches would be acceptable. We speculated as to whether this could be extended to analytics cookies or not, before deciding that “when implemented, this directive will seriously impact on everyone involved in digital activities.”

With the ICO rocking slightly as to whether we needed opt in for analytics cookies or not, the government itself took hold of the situation, suggesting that for their own websites analytics cookies were strictly necessary and hence implied consent was ok.

Now the ICO has finally decided, on the last working day before the regulation was due to be enforced, that analytics cookies can fall under the rule that ‘implied consent’ is good enough. Implied consent means that by using the website they are agreeing to accept the cookies you give them because you tell them you will in your privacy policy.

Does that mean that you should carry on as before? Not quite. Implied consent is one thing, but actually making the users more aware of what you are doing with cookies is still important. What we actually want is informed, implied consent. Therefore, if you have a website in the UK you should be doing the following things:

1. Audit your site to see what cookies you are using. Stop giving out any that you no longer use and see if you can consolidate others. You should also be looking how long you set your cookies before they expire.
2. Audit your privacy policy to make sure that it tells your users exactly what it is that you are doing with the cookies in plain English (NOT legal or technical jargon). This also means telling them what you are going to do with the data once it has been collected.
3. Ensure that your cookie policy is linked to on every single page of your website in a prominent position, whether you follow BT’s example of a floating option in the bottom right hand corner, The Guardian’s with a small box at the top, The Sun’s with a small box at the bottom or Bulmer’s with a full screen overlay on entry (see figure 1 below).

Figure 1: BT, the Guardian and Bulmer’s cookie policy examples 

Analytics reporting is anonymous. There should be no personally identifiable data being passed into your analytics system and the point of the data is to provide aggregated information on the users’ behaviour to improve the quality of the site in question.

If you are linking your online data with offline data to get better information from your customer then there is another level of privacy you should be thinking about. This is, of course, near on impossible until you have some unique key to link them together. So the question of consent should come at the point of getting that unique key (e.g. if you are doing it based on a username then when you ask them for their username you should say “We will tie any data we hold about what you do when you are logged in with things you do with your account offline”).

Finally, it is important to remember that if you are a global organisation you’ll still have to pay attention to how all the other European countries have interpreted this law (and they have done so in a variety of ways, whilst some are still to define their law).

–