Privacy & Information Security Law Blog

On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.

Providing Information to Users

The ICC UK anticipates that if the Guidance is adopted widely by website operators, users will be exposed to consistent messages that will help to raise awareness about cookies among users. Such exposure should address concerns raised by the ICO that user understanding of cookies is generally low, which makes it more difficult for website operators to obtain informed consent.

Although the Guidance is not prescriptive, it suggests that website operators adopt a layered approach to providing notice so that “less technically minded users” are not overwhelmed by “excessive or complex information.” The Guidance suggests an initial layer containing simple information, such as an icon, following the approach adopted by the Internet Advertising Bureau. As a second layer, the ICC UK suggests providing more detailed information (e.g., a banner overlay). Additional information may be provided using “tool tips” displayed when the user’s cursor rolls over an icon, or links to external websites that provide further information such as www.allaboutcookies.org and www.youronlinechoices.eu.

Categories of Cookies

The Guidance identifies four basic categories of cookies:

1. Strictly necessary cookies: cookies that enable services the user has specifically requested, e.g., e-billing, security and authentication mechanisms, third-party social plug-ins (for logged-in users only). Although consent is not required for this category of cookies, the ICC still recommends providing information to users about these cookies and their functions.
2. Performance cookies: cookies that collect anonymous information on webpages visited and are used to improve a website’s function, e.g., analytic cookies. They only collect aggregate data and do not collect information that identifies users.
3. Functionality cookies: cookies that remember user choices, e.g., user name, to improve browsing experience and to deliver personalized features. These cookies do not track browsing activity across websites.
4. Targeting/advertising cookies: cookies that track browsing habits across websites to deliver targeted/behavioral advertising. The party setting the cookie is responsible for providing notice and obtaining user consent, but consumer-facing websites may be better positioned to obtain user consent for third-party cookies.

Consent

The Guidance notes that although the Article 29 Working Party does not consider first-party analytic cookies to be exempt from the consent requirements, these cookies are considered less intrusive and, accordingly, the approach to obtaining consent for their deployment differs. Following the revised guidance issued by the ICO in May 2012, in Part 4 of this second edition, the Guidance sets forth details of implied consent mechanisms. Specifically, the Guidance lists three key components of valid implied consent:

1. Share understanding with users: Website operators must provide sufficient information about cookies to enable users to understand what they are consenting to.
2. Improve users’ knowledge: Except for particularly technical users, most users have a poor understanding of how online services are provided. To obtain valid implied consent from users, website operators are obliged to help educate users about how cookies work.
3. Be obvious and prominent: Notice should be clear and unavoidable, such that users are clear what clicking through and continuing to use a site will mean.

Although the ICC UK categorizations and recommendations have not been adopted formally by any national regulator, the categorizations are widely accepted within industry and some regulator guidance uses the same or similar language. Formal and informal guidance provided by a number of regulators also similarly indicates that a different levels of compliance may be acceptable for different types of cookies. In practice, many EU website operators are now providing clear and comprehensive notice about cookies. However, many still rely on opt-out consent mechanisms, and to date only a limited number of website operators have implemented explicit opt-in consent mechanisms.