C is for Cookie!
Interestingly, cookies are only referred to once in the entire GDPR, Recital 30, though it is an important inclusion as it associates cookies with natural person identifiers and, as such, catagorises cookies as personal data under the remit of GDPR protection.
Some of the most talked about provisions of GDPR are that of consent. Consent needs to be “a clear affirmative action … freely give, specific, informed and unambiguous” (Recital 32). GDPR explicitly states that, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent”.
This is set out clearly on the ICO website, “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.” Now here is where it can be a bit confusing. Whilst reading this very clear guidance, if one hovers over the bottom left corner of the page (or any page on the ICO website) on the attractive little star cookie icon the following pop up (it's http://civicuk.com/cookie-control, their copyright etc, a tool many of our clients use on their sites) appears:
As far as default consent goes that pretty much takes the biscuit (apologies).
As GDPR compliance rolls out, it will be interesting to see whether member state legislation will fill in the gap and either directly incorporate the Cookie Directive or not.
 GDPR Recital 32