Last week partner Adam Rose was mentioned in The Telegraph in an article highlighting that the ICO's own website does not conform to GDPR.
The key amendment was regarding cookies - the law was changed so that, contrary to the previous position, a website provider could only place a “non-essential” cookie on one’s device if the recipient had consented to its placing (an “opt in”, if you will - where previously an “opt out” had applied). "Consent" here, takes its definition from the General Data Protection Regulation ("GDPR"), which states that it is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
The Information Commissioner's Office (ICO), which is responsible for enforcing PECR (and GDPR), has guidance, regarding consent, which says that "[one] may not rely on silence [or] inactivity...or seek to take advantage of inertia" and that "[clear] affirmative action means someone must take deliberate and specific action to opt in or agree to the processing...all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’".
"Your own website (ico.org.uk), however, places at least four cookies (Universal Analytics (Google)) which are not strictly necessary, and it does so, or at least claims to do so, before a visitor has had the chance to consent (your cookie notice says "we have placed cookies on your device to help make this website better" (emphasis added)). Furthermore, the placing takes place as a result of the visitor's inactivity and inertia. A visitor cannot be said to consent, according to GDPR's definition and your own guidance, because she does not take deliberate and specific action to opt in or agree to the placing."
The ICO reassured the party that they are taking "immediate steps" to address the issue. The rules regarding cookies are not straightforward, and many fail to follow them, but it is still rather remarkable that the regulator itself, and by its own admission, has also failed to do so.