The Cookie Directive, which officially came into force on May 26, 2011, but for which the UK ICO formally delayed enforcement until May 26, 2012, requires websites targeting EU citizens to request user permission prior to placing cookies on the users’ browsers, unless the cookies are “strictly necessary” for the provision of a service “explicitly requested” by the user.
UK ICC Cookies Guide
The ICC’s Guide separates the various cookies used by website operators into different categories and provides recommendations regarding the type of notice and choice that operators should use depending on the category. The Guide also provides consumers with information regarding the differences between the types of cookies so that they can make informed choices in determining whether to accept or reject various types of cookies.
The Guide divides cookies into the following 4 categories:
(1) Strictly necessary cookies: These are cookies that are essential to allow visitors to move around a website and use its features, and include cookies that enable shopping baskets or e-billing.
(2) Performance cookies: These are cookies that collect information about how visitors use a website (although not information that personally identifies visitors), or that can be used for website analytics. These types of cookies include those used to determine which pages visitors go to most often, test website designs, and track the effectiveness of “pay-per-click” and affiliate advertising. However, this category does not include cookies used for re-targeting or online behavioral advertising purposes.
(3) Functionality cookies: These are cookies that allow a website to remember choices a visitor makes (such as user name, language, or region) or provide services a visitor has asked for (such as watching a video or commenting on a blog) to enhance the website experience. The information these cookies collect may be anonymized and they cannot track visitors’ browsing activity once they have gone to another website.
(4) Targeting or advertising cookies: These are cookies that are used to deliver advertisements more relevant to a visitor’s interests, limit the number of times a visitor sees an ad, and measure the effectiveness of ads. They are usually placed by an ad network with a website operator’s permission, remember that a visitor has been to a site, and share this information with others, such as advertisers.
The Guide provides sample notification language that website operators can use in describing the different types of cookies to visitors. The Guide also provides recommendations for what type of consent is required for each type of cookie. For “strictly necessary” cookies, the ICC explains that no consent is required. For “performance” cookies and “functionality” cookies, the ICC believes that website operators should use the methods of consent already discussed in the UK ICO’s prior guidance on the Cookies Directive, such as obtaining notice through the site’s Terms of Service or when a user changes settings for the site. For “targeting or advertising” cookies, the ICC believes that a higher level of consent is necessary, but that it is up to individual website operators to decide the most appropriate method for obtaining consent, depending on the purposes for which these types of cookies will be used.
UK ICO Statement Regarding Analytics Cookies