The new “cookie law,” which is part of the 2011 amendment to the Privacy and Electronic Communications Regulation 2011, came into force on May 27. However, there was a dramatic change in guidance from the Information Commissioner’s Office (ICO) just before the new law came into force, stating that “implicit consent” is now the main requirement, with the emphasis having shifted from the everyday functionality of cookies to the protection of personal information.

Just before the implementation of the law, the UK’s Information Commissioner directed that websites can assume that users have consented to the use of cookies  – small text files that are stored on a user’s computer and can identify them – and that implied consent is a valid form of consent.

The use of “implied consent” shifts responsibility to the user rather than the website operator, and has been a relief to thousands of website operators who have been struggling to comply with new EU directives which came into law a year ago.

The directives required sites to make it clear when they were saving a cookie on the user’s computer, which many sites complained was simply impractical. Sites rely on cookies to store data such as online shopping baskets, identification and other user preferences, and requiring users to agree to each instance would subject them to a multiple decisions about acceptance or refusal and would probably lead to a huge drop in on-line revenue.

However, while ‘implied consent’ is now a valid defence for not asking to store cookies in the first place, companies will still need to have a privacy policy that explains how their site gathers cookies and what it does with the information. That policy also needs to be easily accessible on their website.