A Guide to Cookies

All EU commercial websites must comply with the EC Cookie Directive and the ICO’s Guidance.  This has caused a lot of head scratching balancing compliance with ease of use.  The ICO’s latest Guidance issued in May 2012 is much more workable than earlier versions.

The International Chamber of Commerce (ICC) UK has issued a useful Cookie Guide which has been welcomed by the ICO as a “good starting point” from which “to work towards full compliance”.  This categorises cookies into four categories;-

Category 1- “Strictly Necessary” Cookies such as the contents of your shopping basket.

Category 2 – Performance Cookies such as Google Analytics which collect anonymised data.

Category 3 – Functionality Cookies which enhance performance but don’t do more and don’t survive the end of a session.

Category 4 – Targeting and Advertising Cookies which remember user behaviour and are then used to alter the delivery of information in future.

There has been much legal discussion about the ICO’s guidance and whether it is workable.  Normally where there is a requirement to obtain “informed” or “positive” consent that requires some indication of a positive election by the user after having been given access to relevant information.  It is questionable whether ICC’s Guide on Categories 1-3 or even the latest ICO Guidance meets that standard.

However, in any situation in which there is a possibility of prosecution there are always two requirements.  The first is that there is a technical breach of the law.  The second is that there is a decision made to prosecute by the authority with power to do that.  The CPS has a Code of Practice, which sets out criteria for and against prosecution for most common offences, and always operates an overriding criterion of whether a prosecution is “in the public interest”.  Although the ICO does not issue such a Code of Practice the indications are that the ICO will follow a similar pattern, and will concentrate on investigative and enforcement resources on Category 4 Cookies, which gave rise to the original EC Directive.

Businesses will have to make a Risk Management decision whether and how to obtain positive consent for Category 1-3 Cookies.  It is difficult to see how any website operator can comply on Category 4 Cookies without some form of click through consent, though some major organisations have yet to impose that.

If you manage your own content this is up to you.  If your website is managed you should ask for a solution, but it is likely to be your legal responsibility.  Browser based solutions are being developed.

For further guidance and discussion see AllAboutCookies to which the ICO refers users, and The Cookie Collective.  Cookie Control provides a neat tool that is used on lots of public sector sites is easy to implement and free.