Robert Bond, lead contributor to the ICC UK’s Cookie Guide, reviews the Guide, which was published on 2 April 2012 with the endorsement of Christopher Graham, the UK Information Commissioner.
The changes to the Privacy and Electronic Communications Regulations in respect of consent for cookies have placed considerable compliance obligations on businesses with minimal prescriptive guidance from either the Department for Culture Media and Sports or the Information Commissioner's Office.
In initial comments issued by the DCMS in early 2011 it was suggested that business must help itself to manage compliance, and the International Chamber of Commerce in the UK (ICC UK) has led the process to help businesses comply.
The Cookies Guide aims to help both web site operators and web site users come to terms with the so-called cookies law by placing cookies into four categories based on their functions. It is hoped that this will help web site operators categorise the cookies they use and assist them in preparing suitable methods of obtaining informed consent, as well as aiding communication with web site visitors by offering them standard notice language, explaining in simple terms what cookies are and how they are used.
It is hoped that the Guide will be adopted by businesses so that repeated use of standard language will provide certainty and comfort for consumers.
The Guide was developed through consensus and compromise between many leading businesses who provided either technical, marketing or legal input to ensure a rounded solution.
Whilst all EU Member States should have implemented Article 5(3) of the E-Privacy Directive 2009 by the 26 May 2011, it is well known that the vast majority have not. The UK was one of the few Member States to implement the law on time, although the ICO took the practical step of granting a 12-month moratorium, which runs out on 26 May 2012, to enable businesses to comply.
At the launch of the Guide, at an event hosted by DCMS and the ICO in London, Department Minister Ed Vaizey confirmed that, 'we will lead the way forward' in influencing, at ministerial level across Europe, the need for a harmonised approach to compliance. Christopher Graham in commending 'the advice of the ICC' also added that, 'we are seeing lots of good work - but until it all ends up on web sites there is a risk that bluster, scare tactics and burying of heads will win the day… from May we will shift our response to those businesses who will not comply or attempt to comply'.
What Does The Guide Achieve?
The Guide is based on the fact that the different cookie technologies have been categorised into four groups around their functions and what they are used for. Whilst these categorisations may be changed as ICC UK consults more widely with stakeholders, the four categories that have been identified and approved by the ICO are:
Part One of the Guide explains its general purposes for web site operators and Part Two then sets out in more detail the explanations with case studies of the four categories of cookies. Part Three contains technical notes and definitions in relation to the four categories of cookies and Part Four gives some examples of consent wording.
The Guide is not intended to provide legal advice and web site operators are responsible for their own compliance strategies, dependent on the cookies they use and the nature of their web site and its users.
Categories of Cookies
Whilst four categories have been chosen it is quite possible that a cookie may function in more than one category. Therefore the way in which the categories are used and the consent language applied will vary depending entirely upon each web site.
Strictly Necessary Cookies
The Guide states that a notice for users might be worded thus: 'These cookies are essential in order to enable you to move around the web site and use its features, such as accessing secure areas of the web site. Without these cookies, services you have asked for, like shopping baskets or e-billing, cannot be provided.'
In its guidance the ICC indicates the range of different technologies that may be categorised as cookies and also provides simple Tool Tips for consumer understanding. For example the strictly necessary cookie Tool Tip states 'These cookies enable services you have specifically asked for.'
Here the notice for users might read, 'These cookies collect information about how visitors use a web site, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don't collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a web site works.'
The Tool Tip here is 'These cookies collect anonymous information on the pages visited'.
Here the notice for users is more intricate, given the more complex nature of functionality cookies. However the Guide essentially gives examples of use including, 'Choices you make (such as your user name, language, or the region you are in), and provide enhanced, more personal features.'
The Tool Tip here is 'These cookies remember choices you make to improve your experience.'
Targeting Cookies or Advertising Cookies
Finally, what falls into the online behavioural advertising sector in some respects, or customer profiling, are what the ICC call targeting cookies or advertising cookies.
Here the suggested notice for users reads, 'These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the web site operator's permission. They remember that you have visited a web site and that this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.'
The Tool Tip here is 'These cookies collect information about your browsing habits in order to make advertising relevant to you and your interest.'
It is valuable for businesses to note that each of the descriptions of cookies are couched in positive language in order to allay users' fears, provide plain language information and not cause rejection of any of the cookie categories.
Part Four of the Guide suggests consent language which dovetails with the cookie categories.
The strictly necessary cookies do not require consent, although the ICO and indeed the Guide recommends that cookie information should be provided. In the other three categories, the mechanisms of obtaining consent are interpreted on a sliding scale of impact and effect. In other words the more pervasive the use of the cookie in terms of collecting data, the greater the need to demonstrate explicit consent.
Whilst for a strictly necessary cookie consent is not required, there is a good argument that in respect of analytics, to the extent that little personal data is gathered and in any event the aggregation of the information is only used to enhance future performance of the web site, again consent might be implied by no more than the continued use of the web site itself once the user has been offered a chance to understand that category of cookie. At the other end of the scale - advertising cookies - the mechanism of consent being obtained needs to be at the most transparent and effective level.
At the DCMS/ICO event one of the first movers, namely British Telecom, who have a particularly innovative and user-friendly cookie compliance process, commented that since implementation there has been, 'no negative impact' on their users' web site experience or activity as far as they can establish. Since BT's web site process leans heavily on the Guide, this is a practical example of the Guide's value to businesses in terms of compliance.
The Guide is timely and practical. Currently, in the absence of any more definitive guidance from either government or the regulators, it is advice that 'takes the biscuit'!
Robert Bond is a Partner in the IP, Technology & Commercial team at Speechly Bircham LLP: firstname.lastname@example.org