Retailer slams ICO over 'embarrassing banality' of revised cookie law guidance

The EU cookie law was implemented over the weekend amid controversy over last-minute policy changes.

In a third version of its advice to websites on how to use cookies, the Information Commissioner's Office (ICO) rewrote a section on "implied consent", suggesting that websites can assume that users have consented to the use of cookies.

Michael Ross, director of trading solution provider eCommera, and founder of online retailer Figleaves.com, said that the only people to benefit from confusion over the legislation will be lawyers.

"The whole premise of the cookie regulation has moved from requiring informed prior consent to now accepting that implied consent will suffice for most situations.

"It is a banal end to a year of stress and anxiety for commercial players online where the only people to benefit have been the lawyers," Ross said in a statement.

"The banality of the ICO's approach is embarrassing. They appear to have decided that it is important for consumers to understand the intricacies of cookies before they are safe to use the internet. It is like expecting people to understand the basics of quantum mechanics before they can buy a microwave," he added.

However, Sally Annereau, data protection analyst at law firm Taylor Wessing, told Computing that the changes in the ICO's guidance did not equate to a significant shift in policy.

"I don't think there is a whole scale turnabout in policy. There was already recognition in the previous guidance that implied consent could work," she said.

"When a user has seen a clear notice and has actively indicated that they are comfortable with using cookies by clicking through the site, this is an implied consent mechanism effectively," she said.

In March, a survey by consultancy KPMG found that 95 per cent of organisations were yet to be compliant with the new law.

The ICO has recently confirmed that it has sent out a letter to 75 of the biggest organisations to ensure that they are moving towards compliance. The list includes Apple, Amazon, the BBC, the NHS, the Cabinet Office and the Scottish government.

"If your organisation has not yet achieved compliance, please provide an explanation about why it has not been possible to comply within time, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen," the letter reads.

It explains that the companies each have 28 days to respond and warns them that there could be a penalty if they do not comply.

Annereau said that organisations should now be more proactive in complying with the law, as prior to it being enforced, many were sceptical about the advantages of complying before their competitors.