Contrary to what had been the understanding before, the ICO in its capacity as data privacy watchdog in the UK has now declared in his guidance (download it here) that implied consent – if actually given – is just as valid a form of consent as explicit consent. That is not to say that website owners can simply continue to as before. When you read through the ICO’s advice on how implied consent may be brought about, it becomes quite clear that there really is not much difference from what the website owner must do to obtain explicit consent. In essence (in my interpretation, mind), you need to provide easily accessible, specific information that your assumed circle of users can actually understand, and you need to present that information separately (i.e. not only as part of your 2,000 word privacy policy) before setting any cookies that require consent. What “indication of wishes” is then required will depend on where and how you have presented the necessary information, and maybe also on how intrusive your cookies are. The fact that the user actually continues to use the website can be “indication” enough, though, if the user knows exactly what he or she is getting himself or herself into (cookies-wise, that is).
Makes perfect sense to me. Because, in the end, no one has been able to explain to me yet how a website operator is supposed to actually prove – tick box or not – that Mr. A or Ms. B, as individuals not IP addresses, have given their very individual and specific consent. Against that background, it comes down to presenting the required information in such a way that leaves no room for complaint (well, there anyway is room for complaint, of course…).
Now, on to Germany: By wanting to add a new paragraph to section 13 of the German Telemedia Act, all attempts to transpose the Cookies Directive into German law have so far relied on the concept of explicit consent given that section 13 (2) of the Telemedia Act speaks of a “conciouis and uneqivocal” consent of the user that the webiste owners must “record in a log” (it is actually a bit more complicated than that, but let’s just leave it at that for now). Simply clicking through and continuing to use the website would definitely not cut it – which does not make sense at all. Because no matter how well website owners draft their cookies notices, and regardless of how well they present them, they will in most cases not be able to actually prove that a particular individual has given his or her consent. They will only be able to demonstrate (through witness statements) how their cookie notice was drafted, and how it was presented to the user, around a certain point in time. It may be different when IPv6 has been fully rolled out, but I actually hope that it won’t, as that would mean that access providers operate with static IP addresses, thus leading to a whole new set of privacy problems.
It has been suggested that the ICO’s approach of allowing implied consent may not be in line with the Directive. I don’t see that, really. The Directive itself does not require explicit consent. In fact, the Directive even sets forth that browser settings or other applications may express the user’s consent which, essentially, would in many cases be nothing but an expression of implied consent. The legal point is this: Whether explicit or implied, consent is consent. There are no “lesser forms” of consent. There is a (theoretical) difference in being able to prove that consent has been given. But that is the website operator’s problem in either scenario.
Either way, if you look at how differently France (even analytics cookies are “necessary”) and the UK (fewer cookies are “necessary”, but implied consent suffices) not so much transposed the Direcitve into national law but interpret their own national laws in light of the Directive, and if you take into account that Germany so far seems to have no idea at all how transpose the Directive at all, the Directive’s ultimate goal – harmonising the law throughout the EU – is very unlikely to be achieved.