ICO cites need for data as cookie policy changes

The ICO was one of the first to implement a ‘notice and consent’ regime for website cookies to implement protocol for website cookies after the EU updated its ePrivacy directive to require site owners to gain the consent of users before placing cookies on their machines.

As data watchdog, the ICO sought to lead by example but its strict application of the EU rules led to an immediate 90% drop in measured visits as site users refused to accept a Google Analytics cookie.

From the end of January, the ICO will set cookies on visitors’ machines on arrival. A pop-up banner will explain that cookies have been set with a link through to a new cookies page on the site explaining which cookies are being used and how to manage them.

“We felt [that explicit consent] was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for,” the ICO said in a note published on its website. “Since then, many more people are aware of cookies – both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”

The ICO has advised website owners since May that implied consent is a valid form of consent in the context of the EU cookie rules.