The International Chamber of Commerce (ICC) has issued guidance to help website operators and users understand and apply the changes to the Privacy and Electronic Communications Regulations 2003 relating to cookies that will come into force in the United Kingdom on 25 May 2012.
In May 2011, the United Kingdom implemented changes to the Privacy and Electronic Communications Regulations 2003, which now require any person placing cookies or similar tracking technology on a third party’s equipment to obtain the user’s prior consent. Consent will only be achieved if the user is given clear and comprehensive information as to the use of the cookie. The Information Commissioner’s Office (ICO), which is the UK Regulator, has provided a 12 month grace period allowing operators to make changes required to comply with the law. The grace period expires on 25 May 2012.
In order to obtain consent, clear and comprehensive information about the cookie must be provided. What this information will be depends on the type of the cookie and the use made of the information gathered. The guide divides cookies into four categories: cookies that are strictly necessary, performance cookies, functionality cookies and targeting or advertising cookies. The ICC notes that this division is neither definitive nor exhaustive but assists with an understanding of the intrusiveness of the technology deployed and its impact on the privacy of users.
The guide contains no prescriptive formula or instruction on how consent should be obtained and, much like the guidance issued recently by the ICO, the guide emphasises that the issue of obtaining consent is one that can be addressed in a number of different ways. These different options include obtaining user’s consent in the course of acceptance or re-acceptance of website terms and conditions; settings-led consent, being consent obtained as users choose website settings; feature-led consent, being consent obtained as users turn on website features; function-led consent, being consent obtained as users activate website functions; or notice and choice mechanisms, such as pop-ups or header bars.
The guide includes advice on who should be responsible for placing or obtaining consent with regard to the placing of the cookie. This is especially helpful in relation to third party advertising cookies where the chain of responsibility can become complicated.
The ICC also discusses the possibility of using icons on a uniform basis so that users become familiar with and understand what those icons mean with regard to cookies and the use of their data. One suggestion is the Institute of Advertising Bureau’s current cookie icon.
It is interesting to note that, in order for consent to be obtained, it must be given freely and have the option to be withdrawn at any time. As a result, anybody placing cookies must also give a method for withdrawal of consent by the user.
As with the ICO’s most recent guidance on privacy notices, the guide promotes the virtues of using a layered approach to providing users with information. This layered approach enables users to decide how much detail they require to make an informed decision, with each layer accessed providing more detail than the one before.