A new law on website cookies is crumbling already, as the UK takes a step away from the EU by giving webmasters the right to send out cookies with mere "implied" rather than "explicit" consent from visitors.


Originally, websites would have to require explicit consent from users - in other words, when visiting a website for the first time users would be greated with a message explaining what cookies are being used by the site and what they do.

The user would then have to opt in to viewing this site and accepting the cookies that come with it.

Now, though, the wording of the law has been changed to allow for implied consent by website visitors. This is better for website owners as they do not have to add lines of code to their site to alert users of cookies, but it now means that the UK is no longer in line with the EU, which is sticking with explicit consent for now.

The Information Commissioner's Office (ICO) update now means that websites can merely assume that visitors understand what cookies are and how they work, and in doing so consent to using them on the site.

BBC cookies

In support of the law when it required explicit consent, Rob Rachwald, director of security strategy at Imperva, said: "The good news? Most consumers have no clue about what cookies do and just how much personal information they help websites harvest.

"Websites and internet technology have become so complex that it is impossible for a typical consumer to understand the implications of a simple click. This law will hopefully help people understand that cookies are the keys to personal information and present a threat if exploited, stolen, altered, harvested or hijacked."

Since the change from explicit to implied, Stephen Groom, head of marketing and privacy law at law firm Osborne Clarke, said: "This is a striking shift. Previously the ICO said that implied consent would be unlikely to work. Now it says that implied consent is a valid form of consent."

Speaking to the Guardian, Groom added: "Just six months ago the ICO said general awareness of the functions and use of cookies was simply not high enough for websites to look to rely entirely in the first instance on implied consent."

Some cookies are required to make websites work properly, but the ones that must be disclosed are filed under performance, functionality, and targeting and advertising.

Performance cookies collect anonymous data from everyone who views a website, this data catalogues how a user interacts with the website and is used to improve how a website works, but it cannot track you.

Functionality cookies allow users to customise how a website looks to them. These cookies can remember usernames, language, and regional preferences to provide information like local weather and traffic reports.

Finally, it is advertising and targeting cookies that are the most controversial. These cookies help to deliver advertisements that are relevant to you. They do this by recording what websites you visit, which is then supplied to advertisers, who serve up an ad based on your browsing habits.