By now everyone should have a good idea of what their plans are and should be reasonably confident that they have genuinely worked constructively towards achieving compliance.
From Day one the advice from the ICO was to start with an audit of cookies (and similar technologies) and look at them with an assessment criteria that aligns to the rules as well as the ICO guidance. The essential vs non-essential nature of the cookie along with the level of intrusiveness are the critical audit criteria. Once that view is in place then business need to weigh-up how consumers should be informed of these cookies and how “consent” should be addressed.
The legal requirement for consent is the elephant in the room throughout all of this and it cannot be ignored. There are certainly ambiguities in what constitutes consent and how it overlaps with very clear and effective information transparency. It’s an evolving definition and I am mindful of the Information Commissioner advocating pro business intentions at a DCMS hosted event this week (2nd April) and saying that there will be more guidance around “implied consent” in the fairly near future. “Don’t just wait for the guidance” is the very clear message but I think a huge proportion of the online space will be interested in what the guidance will say.