Neither the wording of the new law, nor the European Directive on which it is based, state that this consent must be express. The idea that consent must be express has simply been the way this law has been interpreted, particularly by the IOC, whose previous guidance stated that relying on implied consent was not likely to be sufficient.
That advice has now changed and the latest guidance is that implied consent may well be enough. This change of heart is probably a response to the difficulties website operators were having in incorporating express consent without impairing the enjoyment of the website. It may also have been influenced by the relatively few websites which had made appropriate changes to comply with the new law.
Although it would have been helpful to have had this steer from the Information Commissioner much earlier in the 12 month lead in period, it should nonetheless be welcolmed. It should not however be taken as a sign that the maintaining the status quo will always be sufficient (e.g. simply relying on having information on cookie use set out in the website terms and conditions). But it does mean that if a website makes it very clear to a user what cookies are being used and why, then it may be able to rely on the user’s continued use of that website as a form of implied consent. Although having a user accept a pop up box which appears immediately on the home page is still the clearest way to demonstrate consent, website operators – and indeed browser manufacturers, will be pleased that more subtle ways may still be used.
Helpfully, the ICO has also provided some reassurance that failure to comply with the new law is unlikely to result in a hefty fine. It has confirmed in its website video FAQ that its fining powers are there to deal with serious breaches which cause substantial damage. Failing to comply with this new law is unlikely to meet either of these requirements.
Therefore despite articles on this topic frequently mentioning the possibility of a £500,000 fine for getting it wrong, the reality is that such a scenario is extremely unlikely. The more likely consequence of failure is the ICO seeking either a written undertaking that compliance will now take place, or issuing an enforcement notice requesting compliance. Ignoring an enforcement notice or breaching an undertaking might lead to a fine (although not at the £500,000 level) but issuing a fine is not going to be the ICO’s stock response to non-compliance.