The UK Information Commissioner’s Office (ICO) has received 169 complaints thus far about websites failing to comply with the cookie law that came into force May 26, reports. UK Information Commissioner Christopher Graham stated that his office has received 169 complaints thus far about websites whose policies appear not to comply with the new regulations on cookies, as reported in Commissioner Graham is reported to have said that the complaints indicate what individuals are interested in and should serve as a warning to organizations that are not yet compliant. “…There are many [complaints] where customers are pointing out that well-respected brands are not doing anything about the cookie law and [these customers] can’t understand why not,” Graham said. The CIO Journal is reporting that the ICO has sent out 70 letters to companies that have yet to comply, including to Tesco, Facebook and HSBC.

Despite the alleged non-compliance, the ICO was issuing new guidance right up until the eve of the grace period for enforcement ending. On May 25, the ICO published revised guidance to clarify points around implied consent, and the ICO’s Strategic Liaison Group Manager for Business and Industry posted a blog with a video containing answers to FAQs.

The new guidance confirms that implied consent is a valid form of user consent and complies with the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and can be used instead of an explicit opt-in measure. This issue had troubled organisations as the previous guidance seemed to suggest implied consent would not be valid, although website operators are not meant to rely on an assumption that users have read a privacy policy that may be hard to find or difficult to understand.

The latest ICO guidance confirms that user consent can be inferred from users navigating among website pages, provided users have a reasonable understanding that by doing so they have agreed to cookies being set.

The latest guidance also addresses the issue of “prior” consent, and while the ICO’s position is that wherever possible cookies should only be set once users have had an opportunity to understand what cookies are being used and to indicate their consent, website operators should be able to demonstrate that, where it is not possible to obtain this prior consent, they are doing as much as possible to provide timely information about what cookies will placed on the users’ device.

In addition, the guidance clarifies that the mere placement of a statement about cookies in a privacy policy is not sufficiently prominent, and website operators are expected to give a clear and specific explanation to the ICO about why their website is not fully compliant. The ICO further explained that there will be a ‘sliding scale’ of enforcement, with the most intrusive cookies that pose a risk of harm to individuals being the focus of the ICO’s enquiries. Since the blog contains a link where users are invited to report their cookie concerns, expect to see the ICO making further statements about the number of complaints and their investigations.