The Cookie law: clarity at last (but not from the ICO)

Kevin Partner
27 Apr 2012

When Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 - “the Cookie law” to most of us - became part of UK law in May last year, the Information Commissioner’s Office (ICO) immediately invoked a one year moratorium on enforcement. Some might interpret that as tacit acknowledgement that the regulations were unenforceable. Little seemed to have changed as the end of the moratorium approached and website owners waited, in vain, for specific guidance from the ICO on how, exactly, to make their sites compliant.

Finally, something resembling advice has appeared, but it’s not come from the ICO but from business organisation the International Chambers of Commerce (ICC). Despite the inevitable disclaimer on page 2 that it “does not constitute legal advice”, it’s by far the most practical guide to the cookie regulations I’ve seen so far and is the result of research carried out by an organisation looking at this from a practical point of view rather than the compliance-based approach of the ICO.

Indeed, David Evans, group manager for business and industry at the ICO, said at the launch of the guide: "Today’s ICC UK guidance provides organisations with a good starting point from which they can work towards full compliance." Which is about as close to a ringing endorsement as we're ever likely to get from the 21st Century equivalent of the Circumlocution Office.

It’s not that the guide says anything new per se, but because of its business focus it bridges the gap between the legalistic coverage of the regulations produced by the ICO and the pleas of website owners to “JUST TELL ME WHAT TO DO!”

My advice is to download and digest the guide - it’s not long and it’s a model of clarity. In summary, the ICC’s guide places cookies into four categories and then explains its thinking about how each should be dealt with. The first category is Strictly Necessary. To fit this category, the cookie must be “related to a service provided on the website that has been explicitly requested by the user”. Aside from obvious cases such as shopping cart cookies and access to protected areas, the ICC suggests that remembering previously entered text so it’s not lost if the page refreshes falls into this category. No user consent is required for category 1 cookies.

The second ICC category is Performance Cookies. And here it gets interesting because the ICC includes analytics, advertising and Pay Per Click cookies in this category - provided they only store anonymous data and cannot therefore be used for behavioural targeting of ads. This was my biggest single concern with the regulations - I could see no way they could realistically be applied if it denied European website owners access to essential analytics information that would be available to owners elsewhere. Consent for cookies in this category, according to the ICC, can be obtained by placing appropriate wording in the site Terms and Conditions (most professional sites will have this already). So, no opt-in required.

The ICC’s third category is Functionality Cookies - cookies that remember user choices so that they have a more personalised experience. This might include detecting if the user has already seen a popup so that it isn’t shown again, submitting comments and remembering colours, text size etc. As with Performance Cookies, the ICC suggests you can comply with the regulations by inserting text into your terms and conditions rather than forcing users to choose explicitly.

This leaves the final category, the “bad boys” that the regulations were originally aimed at: Targeting/Advertising Cookies. We’ve all experienced the slightly creepy way ads follow us around the internet - they do this by collecting information about our browsing habits which is then used to serve up targeted ads. Even in this pretty clear-cut case, it’s possible to argue that the onus is on the ad serving network to request consent but, to be on the safe side, the ICC advises website owners to get clear, explicit consent from users if their site employs such technology.

For most website owners, then, it seems minimal changes are necessary - at least according to the ICC’s interpretation of the regulations. It’s a pity it’s taken a third party to produce such clear guidance rather than the body responsible for implementing the law but at least it’s arrived, in the nick of time. Good on the ICC.

Read more about: