On 2 April, 2012, after almost a year of preparation, the International Chamber of Commerce UK (“ICC”) launched its UK Cookie Guide designed to help website operators and website users comply with new EU rules on the use of cookies. The ICC hopes that if the Guide becomes widely adopted by website operators, then users will be exposed to consistent information regarding cookies, will become familiar with the various types of cookies on websites, and will develop an understanding of the different categories of cookies.
Part 1 of the Guide provides guidance for website operators in relation to content and information contained within the rest of the Guide. Part 1 is intended to provide information to website users in layers, allowing users to access as much or as little information as they want regarding cookies, with the initial layer designed to be simple and straightforward. Part 1 details that the Guide can be used by website operators to educate their users and can make it easier to gain their consent by giving users consistent information across different websites. The Guide is intended to make it easier for users to access information about cookies and be in an informed position to give their consent. Part 1 also touches upon the idea of “browser-based compliance,” and the use of icons linked to mechanisms of control so that the user can click onto the icons to find out more information.
Part 2 of the Guide puts cookies into four categories based on their functions and what they are used for. The Guide points out that these categories are not definitive and there may be cookies that do not fit. Furthermore, the categories are designed to evolve as more cookies are discovered. Where a cookie does not fit, website operators will have to devise their own wording and consent approach. The Guide identifies the four categories as:
- Strictly necessary cookies
- Performance cookies
- Functionality cookies
- Targeting or advertising cookies
Part 2 of the Guide includes a case study describing what a cookie is and gives tips and guidance for website operators on how to approach each category, and how to explain clearly what each category of cookie is used for.
Part 3 of the Guide focuses on technical notes and definitions of the four categories of cookies, giving examples of when the cookies are used and the information that the cookie collects. For example, in Category 1: strictly necessary cookies are “essential first-party session cookies” and will generally be used to store a unique identifier to manage and identify the user in order to provide a consistent and accurate service. Category 1 cookies will remember previous actions or text and will manage, pass and maintain security tokens (i.e., identify if the user is logged in). However, these cookies will not be used for marketing or to remember preferences outside of a single session.
Part 4 of the Guide gives some examples that can be used by website operators to obtain users’ consent to the use of cookies falling within the four categories set out in Part 2. The Guide states that website operators should also provide for withdrawal of consent previously given by users, although there is no prescribed form or examples given in the Guide for this. The Guide states that, for Category 1 cookies, no consent is required because these are strictly necessary cookies. For Category 2 cookies, which only collect information about website usage for the benefit of the website operator, consent can be obtained in the terms and conditions of the site or when the user changes the settings, but this will depend on the kind of website and the precise function of the cookies. For Category 4 cookies, which collect the most information about the user, it is important to obtain clear and informed consent from the user for their use as the party setting the cookie is required by law to do, although in practice the website operator may be better placed to obtain the consent. Guidance given by the UK Information Commissioner’s office, which has welcomed the launch of the ICC’s Guide, states that each party must play its part in obtaining the consent, although it is up to the individual parties to decide the most appropriate method, depending on the purpose of the cookie, so long as the user is given a clear and informed choice.