More Cookie Advice

The Information Commissioner's updated guidance on cookies contains helpful examples and a useful clarifications on cookies not directly linked to a user service (I'm reassured that the Commissioner seems to be heading for the same categories as I came up with).

Since the Commissioner's own website is relatively simple, it doesn't provide many illustrations of how cookies such as those used for shopping baskets can be made compliant with the law. Now the guidance confirms that this may, indeed, be as easy as warning "we'll need to use a cookie" at the point where the visitor first enters the shop area of the site. A number of different ways of making cookie information available are suggested, including colour highlights or placing links at prominent places on the web page.

Perhaps even more useful is the discussion (page 20 and following) of cookies that directly benefit the website operator, rather than the user. Here the guidance uses the principle of privacy risk to conclude that first-party cookies (those that are only released back to the same website) represent less of a risk than third-party cookies (which may permit a user to be recognised across multiple sites). There is a further distinction made between cookies that do indeed attempt to track individuals from those used only to generate anonymous statistics. While users still need to be offered an opportunity to refuse to be included in statistics, the new guidance seems to suggest that where the risk to privacy is low this may be enough to comply with the law.

This new guidance should be a great help for sites developing their compliance plans. Finally there's also good news on how widely those plans have to range - apparently it's now concluded that Intranets (because they aren't Information Society Services) only have to comply with the Data Protection Act, not with these cookie regulations.