On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.
Providing Information to Users
The ICC UK anticipates that if the Guidance is adopted widely by website operators, users will be exposed to consistent messages that will help to raise awareness about cookies among users. Such exposure should address concerns raised by the ICO that user understanding of cookies is generally low, which makes it more difficult for website operators to obtain informed consent.
Although the Guidance is not prescriptive, it suggests that website operators adopt a layered approach to providing notice so that “less technically minded users” are not overwhelmed by “excessive or complex information.” The Guidance suggests an initial layer containing simple information, such as an icon, following the approach adopted by the Internet Advertising Bureau. As a second layer, the ICC UK suggests providing more detailed information (e.g., a banner overlay). Additional information may be provided using “tool tips” displayed when the user’s cursor rolls over an icon, or links to external websites that provide further information such as www.allaboutcookies.org and www.youronlinechoices.eu.
Categories of Cookies
The Guidance identifies four basic categories of cookies:
- Strictly necessary cookies: cookies that enable services the user has specifically requested, e.g., e-billing, security and authentication mechanisms, third-party social plug-ins (for logged-in users only). Although consent is not required for this category of cookies, the ICC still recommends providing information to users about these cookies and their functions.
- Performance cookies: cookies that collect anonymous information on webpages visited and are used to improve a website’s function, e.g., analytic cookies. They only collect aggregate data and do not collect information that identifies users.
- Functionality cookies: cookies that remember user choices, e.g., user name, to improve browsing experience and to deliver personalized features. These cookies do not track browsing activity across websites.
- Targeting/advertising cookies: cookies that track browsing habits across websites to deliver targeted/behavioral advertising. The party setting the cookie is responsible for providing notice and obtaining user consent, but consumer-facing websites may be better positioned to obtain user consent for third-party cookies.
Consent
The Guidance notes that although the Article 29 Working Party does not consider first-party analytic cookies to be exempt from the consent requirements, these cookies are considered less intrusive and, accordingly, the approach to obtaining consent for their deployment differs. Following the revised guidance issued by the ICO in May 2012, in Part 4 of this second edition, the Guidance sets forth details of implied consent mechanisms. Specifically, the Guidance lists three key components of valid implied consent:
- Share understanding with users: Website operators must provide sufficient information about cookies to enable users to understand what they are consenting to.
- Improve users’ knowledge: Except for particularly technical users, most users have a poor understanding of how online services are provided. To obtain valid implied consent from users, website operators are obliged to help educate users about how cookies work.
- Be obvious and prominent: Notice should be clear and unavoidable, such that users are clear what clicking through and continuing to use a site will mean.
Although the ICC UK categorizations and recommendations have not been adopted formally by any national regulator, the categorizations are widely accepted within industry and some regulator guidance uses the same or similar language. Formal and informal guidance provided by a number of regulators also similarly indicates that a different levels of compliance may be acceptable for different types of cookies. In practice, many EU website operators are now providing clear and comprehensive notice about cookies. However, many still rely on opt-out consent mechanisms, and to date only a limited number of website operators have implemented explicit opt-in consent mechanisms.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code