Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

ICC Cookie Guide

Wednesday, June 6, 2012 - 11:49

The International Chamber of Commerce has published a Guide to cookies to help businesses comply with the legislation and individuals understand what is being done with their data. Rather than concentrating on the legal issues, the guide aims to develop a common terminology for different types of cookie use, which should help to increase users’ familiarity with the different types of cookie and help them to make properly informed choices. For each type of cookie, the Guide has a user-friendly explanation (in part 2) and help for website operators in classifying their cookies (in part 3). Although two of the four proposed categories seem to be well-understood, with both business and regulators providing similar advice, on the other two there are still significant differences of interpretation.

The categories proposed are as follows:

  1. strictly necessary cookies: these seem to follow other advice on interpreting the Directive
  2. performance cookies: though this term is used by the ICC to cover analytic cookies rather than the load-balancing ones that the Information Commissioner includes in his guidance
  3. functionality cookies: these match the Information Commissioner’s “settings-led” and “feature-led” types
  4. targeting or advertising cookies: used by the ICC only for cookies used to target advertising to a particular user

As with other attempts to classify cookies (e.g. the Information Commissioner’s guidance), the problems arise in the areas of analytic and behavioural advertising cookies (ICC categories 2 and 4). The ICC place the majority of these cookies in category 2, which covers both first and third party cookies and those used to collect information about the browsing and purchasing habits of users. Only if a cookie is actually used to display adverts to the user does it fall into category 4. Unlike many other commentators, the ICC don’t appear to distinguish between first-party analytics and third-party profiling: both are in category 2. Indeed the Guide’s classification doesn’t provide much information to users who want to know whether cookie information is shared with organisations other than the website: under the ICC classification all categories include both first and third party cookies with only category 1 highlighted as requiring a “good justification” for use of a third-party cookie.

Part 4 of the Guide looks at obtaining user consent, while noting that the legal position on this is not yet clear. The Guide agrees with the Information Commissioner that consent is not required for category 1 and can be obtained by appropriate warning notices for functions and settings in category 3. However the Guide suggests that consent for its expanded category 2 can be obtained in the Terms and Conditions of use of a site, in other words that a site can refuse access to those who do not wish to be profiled or analysed. Although the Information Commissioner’s guidance on analytic cookies now seems to contemplate options other than the opt-in checkbox on his own site, the ICC suggestion seems to go considerably further. On targeted advertising cookies, the Guide notes that “it is important to obtain a clear informed consent from the user”, but doesn’t suggest any mechanism for doing so.

It seems that there is reasonable agreement on how to use strictly necessary and functionality cookies in compliance with the law, but still significant differences between businesses and regulators on analytics and advertising.