The guidance goes on to say: “Website operators, developers and analytics vendors need to recognise that while analytics are, for them, an integral and entirely ordinary part of how the web has developed, for users the picture is rather less clear.”
The ICO states that there is a gap between the web analytics used and the level of understanding users have about those practices. Implied consent is only valid, it says, if this gap is narrowed.
This means that website users would have to appreciate that “on most sites they visit certain things are more likely, than not, to happen” and by being aware of this “the more it will become acceptable for their actions”.
This suggests that, over time, as users become more aware of how their cookies are being used – including in the use of analytics – they are likely to become more comfortable with it.
However, it the guidance also states that the user should have a choice not to accept cookies at a browser or site level “even if it means a site’s functionality is limited for the user as a result”, suggesting that any part of a website that requires cookies to function should be segregated from the parts of the website that do not.
So, can a website that tracks users’ traffic rely on implied consent to comply with the EU directive and ICO rules?
“Provided the business only uses the traffic information to improve the site,” Retzer explained.
But if a business was not already adhering to the regulations, it should be cautious about implementing any changes to its website, according to Kim Walker, partner at law firm Thomas Eggar, agreed, arguing that many businesses probably do not need to make any changes to their website to comply with the directive.
“If a business wants to use the cookies for their own analytics purposes and these fall within the spirit of the regulations, then it may be worth taking a commercial view and waiting to see what others do before committing resources to update their website.