Implied Consent Model for Online Notice

As of mid-April 2013, Google began to make a marked shift in its search engine in the EU. It began adopting the implied consent model of privacy notice. In order to comply with the EU ePrivacy Directive, Google started providing notice of data collection on webpages, with a mechanism for consumers to provide their consent to be tracked. According to Phil Lee, partner at Field Fisher Waterhouse, “This is a signal to the market that a very major player like Google is taking cookie consent seriously.”

According to experts, a cultural shift is happening in the EU regarding consumer expectations about data collection and use. Regulators and large corporations recognizing the shift have started responding to it in very tangible ways. Compliance with privacy law, in addition to adoption of global self-regulatory programs, is becoming less about simply ticking a compliance box and more about understanding that good privacy practice is actually good for business.

Studies have shown that people aren’t necessarily opposed to the use of cookies. Instead, they expect that companies will be transparent about the practice. In fact, consumers reward companies that are. The Toluna study revealed that almost half (48 percent) or respondents felt that if companies are honest about how they collect and use personal information online, they would be more likely to purchase goods or services from that brand.

A closer look at implied consent

Implicit consent (also referred to as “deemed” or “indirect” consent) can mean one of two things:

i)                    You volunteer personal information for an organization to collect, use, or disclose for purposes that would be considered obvious at the time.

ii)                   You provide personal information to an organization and it is used in a way that clearly benefits you and the organization’s expectations are reasonable.

Usually, implied consent is inferred from your actions and you current circumstance. For instance, if you attach a page of references with your resume and deliver it to potential employers, it is implied that you give consent for employers to contact your references. A reasonable person would understand that the very nature of providing references implies that consent is given to contact them.

Or, if you make a donation to a charity, you might be asked to provide personal information in order to receive a tax receipt. It would be considered reasonable – and in your favor – for the organization to use your personal information to provide you with a tax receipt.

EU on implied consent

Implied consent is a key concept in EU privacy violations. In particular, the EU’s e-Privacy Directive was amended in 2009 to state that storing and accessing information on users’ computers would only be lawful “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information… about the purpose of the processing.”

The Directive clearly states that consent must be “freely given, specific and informed.” An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user.

Perspectives on implied consent

According to Dave Evans, the ICO’s strategic liaison group manager for business and industry, implied consent is valid as long as website operators are “satisfied that [their] users understand that their actions will result in cookies being set… Without this understanding you do not have their informed consent.”

The use of implied consent shifts responsibility to the user rather than the website operator, and might make things easier for website operators who struggle to comply with EU directives. Initially, websites were required to make it clear when they were saving a cookie on the user’s computer, which many sites complained was simply impractical. Sites rely on cookies to store data, such as online shopping baskets, identification and other user preferences. Requiring users to agree to each instance would mean they’d be making numerous decisions about acceptance or refusal.

Since the introduction of the directive, there have been many complaints regarding the business-friendliness of such policy.


This article takes a look at the concept of implied consent, in which consent is inferred from one’s actions and current circumstance. Implied consent is examined in the context of the EU’s e-Privacy Directive.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/European Privacy (CIPP/E), a privacy professional should be comfortable with topics related to this post, including:

  • EU Directive on Privacy and Electronic Communications (I.C.c.)
  • Consent (II.D.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>