UK ICC and ICO Issue Cookies Guide and Statement

Published On April 12, 2012 | By Melissa Maalouf | General, International, Privacy

On April 2, 2012, the UK International Chamber of Commerce (“ICC”) released a “Cookie Guide” to help companies comply with the new EU Cookies Directive, which governs the use of cookies for various website purposes.  On April 5, 2012, the UK Information Commissioner’s Office (“ICO”), the UK data protection authority, issued a statement to the Register explaining that it does not intend to focus enforcement actions pursuant to the Directive on companies that use cookies for first-party website analytics purposes.

The Cookie Directive, which officially came into force on May 26, 2011, but for which the UK ICO formally delayed enforcement until May 26, 2012, requires websites targeting EU citizens to request user permission prior to placing cookies on the users’ browsers, unless the cookies are “strictly necessary” for the provision of a service “explicitly requested” by the user.

UK ICC Cookies Guide

The ICC’s Guide separates the various cookies used by website operators into different categories and provides recommendations regarding the type of notice and choice that operators should use depending on the category.   The Guide also provides consumers with information regarding the differences between the types of cookies so that they can make informed choices in determining whether to accept or reject various types of cookies.

The Guide divides cookies into the following 4 categories:

(1)    Strictly necessary cookies:   These are cookies that are essential to allow visitors to move around a website and use its features, and include cookies that enable shopping baskets or e-billing.

(2)    Performance cookies:  These are cookies that collect information about how visitors use a website (although not information that personally identifies visitors), or that can be used for website analytics.  These types of cookies include those used to determine which pages visitors go to most often, test website designs, and track the effectiveness of “pay-per-click” and affiliate advertising.  However, this category does not include cookies used for re-targeting or online behavioral advertising purposes.

(3)    Functionality cookies:  These are cookies that allow a website to remember choices a visitor makes (such as user name, language, or region) or provide services a visitor has asked for (such as watching a video or commenting on a blog) to enhance the website experience.  The information these cookies collect may be anonymized and they cannot track visitors’ browsing activity once they have gone to another website.

(4)    Targeting or advertising cookies:  These are cookies that are used to deliver advertisements more relevant to a visitor’s interests, limit the number of times a visitor sees an ad, and measure the effectiveness of ads.  They are usually placed by an ad network with a website operator’s permission, remember that a visitor has been to a site, and share this information with others, such as advertisers.

The Guide provides sample notification language that website operators can use in describing the different types of cookies to visitors.  The Guide also provides recommendations for what type of consent is required for each type of cookie.  For “strictly necessary” cookies, the ICC explains that no consent is required.  For “performance” cookies and “functionality” cookies, the ICC believes that website operators should use the methods of consent already discussed in the UK ICO’s prior guidance on the Cookies Directive, such as obtaining notice through the site’s Terms of Service or when a user changes settings for the site.  For “targeting or advertising” cookies, the ICC believes that a higher level of consent is necessary, but that it is up to individual website operators to decide the most appropriate method for obtaining consent, depending on the purposes for which these types of cookies will be used.

UK ICO Statement Regarding Analytics Cookies

 Shortly after the release of the ICC’S Guide, on April 5, 2012, the UK ICO made a statement to the Register that although it is due to begin enforcing the Cookies Directive next month, it will not focus its enforcement actions on first-party cookies used for website analytics.  However, the ICO emphasized that visitor consent will still be required before websites can use cookies for analytics purposes.  The ICO explained that the Cookies Directive does not distinguish “between cookies used for analytical activities and those used for other purposes,” and that analytics cookies do not fall within the “strictly necessary” exemption category, which is why notice and consent is still required for such cookies.  However, because these types of cookies pose a “low level of intrusiveness and risk of harm to individuals,” the ICO stated that it is “highly unlikely that priority for any formal action would be given to focusing on” use of analytics cookies.  The ICO also noted that it plans to issue further guidance on the use of analytics cookies.

About The Author

Melissa Maalouf’s practice focuses on advising a broad range of clients, from start-ups to established companies, on both U.S. and international data privacy and security issues. Melissa assists clients in drafting appropriate website disclosures, implementing legally-compliant e-commerce flows, responding to FTC Section 5 and state AG enforcement actions, analyzing advertising claims, and children’s online privacy and safety issues. She also regularly helps clients obtain certification under the EU-US Safe Harbor and navigate compliance with divergent international privacy laws.

Comments