After a one-year grace period the Information Commissioner's Office (ICO) has started enforcing the 'cookie law'. In practice nothing much will change; the rules have already been relaxed.
“implied consent” is sufficient.
The revised Regulations are primarily an attempt to curtail online tracking. The cookie law recognises that some cookies are necessary for the functioning of websites; such cookies are now allowed. At the same time the rules for cookies that aren't
“strictly necessary” have been tightened. The cookie law states that websites may only use such cookies if you give your consent. In other words, the opt out has become an opt in.
“monetary penalties can only be issued […] in cases where there's been a serious breach that's likely to cause substantial damage to people, and where there is […] a wilful element towards non-compliance. It's difficult to imagine that non-compliance with the cookies rule is ever going to trigger a situation in which we would be able to issue a monetary penalty.” Rather than issuing fines the ICO hopes
“compliance can be achieved by negotiation, by us giving advice and telling organisations what we feel they need to do.”
All or nothing
Relaxing the rules hasn't made website publishers any more supportive of the Regulations. Only on the day the ICO started enforcing the cookie law did cookie statements start to appear on websites. A quick look at some of the most visited websites in the UK learns they have all adopted the 'implied consent' principle. The website of the Guardian, for instance, simply states that people who continue to browse its web pages are automatically agreeing to cookies being used. Ironically, to prevent the cookies statement appears after implied consent has been assumed the websites stores this information in a cookie.
- Data protection in the electronic communications sector (europa.eu)
- Updated advice and guidance on changes to the EU cookie law (ico.gov.uk)
- Behavioral targeting (wikipedia.org)
- Ghostery (ghostery.com)
- NoScript (noscript.net)