Skip to navigation

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on April 27th, 2012 by Kevin Partner

The Cookie law: clarity at last (but not from the ICO)

iccWhen Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 - “the Cookie law” to most of us – became part of UK law in May last year, the Information Commissioner’s Office (ICO) immediately invoked a one year moratorium on enforcement. Some might interpret that as tacit acknowledgement that the regulations were unenforceable. Little seemed to have changed as the end of the moratorium approached and website owners waited, in vain, for specific guidance from the ICO on how, exactly, to make their sites compliant.

Finally, something resembling advice has appeared, but it’s not come from the ICO but from business organisation the International Chambers of Commerce (ICC). Despite the inevitable disclaimer on page 2 that it “does not constitute legal advice”, it’s by far the most practical guide to the cookie regulations I’ve seen so far and is the result of research carried out by an organisation looking at this from a practical point of view rather than the compliance-based approach of the ICO.

Indeed, David Evans, group manager for business and industry at the ICO, said at the launch of the guide: “Today’s ICC UK guidance provides organisations with a good starting point from which they can work towards full compliance.” Which is about as close to a ringing endorsement as we’re ever likely to get from the 21st Century equivalent of the Circumlocution Office.

It’s not that the guide says anything new per se, but because of its business focus it bridges the gap between the legalistic coverage of the regulations produced by the ICO and the pleas of website owners to “JUST TELL ME WHAT TO DO!”

My advice is to download and digest the guide – it’s not long and it’s a model of clarity. In summary, the ICC’s guide places cookies into four categories and then explains its thinking about how each should be dealt with. The first category is Strictly Necessary. To fit this category, the cookie must be “related to a service provided on the website that has been explicitly requested by the user”. Aside from obvious cases such as shopping cart cookies and access to protected areas, the ICC suggests that remembering previously entered text so it’s not lost if the page refreshes falls into this category. No user consent is required for category 1 cookies.

The second ICC category is Performance Cookies. And here it gets interesting because the ICC includes analytics, advertising and Pay Per Click cookies in this category – provided they only store anonymous data and cannot therefore be used for behavioural targeting of ads. This was my biggest single concern with the regulations – I could see no way they could realistically be applied if it denied European website owners access to essential analytics information that would be available to owners elsewhere. Consent for cookies in this category, according to the ICC, can be obtained by placing appropriate wording in the site Terms and Conditions (most professional sites will have this already). So, no opt-in required.

The ICC’s third category is Functionality Cookies – cookies that remember user choices so that they have a more personalised experience. This might include detecting if the user has already seen a popup so that it isn’t shown again, submitting comments and remembering colours, text size etc. As with Performance Cookies, the ICC suggests you can comply with the regulations by inserting text into your terms and conditions rather than forcing users to choose explicitly.

This leaves the final category, the “bad boys” that the regulations were originally aimed at: Targeting/Advertising Cookies. We’ve all experienced the slightly creepy way ads follow us around the internet – they do this by collecting information about our browsing habits which is then used to serve up targeted ads. Even in this pretty clear-cut case, it’s possible to argue that the onus is on the ad serving network to request consent but, to be on the safe side, the ICC advises website owners to get clear, explicit consent from users if their site employs such technology.

For most website owners, then, it seems minimal changes are necessary – at least according to the ICC’s interpretation of the regulations. It’s a pity it’s taken a third party to produce such clear guidance rather than the body responsible for implementing the law but at least it’s arrived, in the nick of time. Good on the ICC.

Tags: , , ,

Posted in: Online business


Follow any responses to this entry through the RSS 2.0 feed.

You can skip to the end and leave a response. Pinging is currently not allowed.

9 Responses to “ The Cookie law: clarity at last (but not from the ICO) ”

  1. CookieCert Says:
    April 27th, 2012 at 7:19 pm

    This guide is similar to what we proposed almost 2 months ago. In fact so similar it causes me to wonder…

  2. Richard Housham Says:
    April 29th, 2012 at 10:37 pm

    Yeah, this sounds better but I have a few emails from the ICO saying that google analytic consent is required.

    That being said I’ve seen another department from the government say much the same thing as this article.

    To be perfectly honest I don’t care about it all – targeting cookies sometimes are helpful. If I’ve been looking at houses and then ad ad says – here are some houses that you haven’t looked at. Then that’s a good thing. At present ads are either
    a) Targeted to the content
    b) Loosely connected (one would hope to the site)
    c) Anything!

    Sites have enough trouble making money without this going on – oh well! Life will go on….

    Oh and someone email people like this as well.
    They will love the good news ;)

  3. johnnie spunkhammer Says:
    May 1st, 2012 at 10:20 am

    The ICC have been working on this for a lot longer than 2 months,

  4. Marc Liron Says:
    May 2nd, 2012 at 10:49 pm

    The ICO is still to issue robust advice on Analytics Cookies, but to say “So, no opt-in required.” is NOT good legal advice… its a wait and see game at the moment.

    I too have a guide avaialable for the last few months, although mine is more of an FAQ style guide.


  5. KevPartner Says:
    May 3rd, 2012 at 11:18 am

    @marc – we are very specifically NOT providing legal advice. We are simply reporting the guidance from the ICC. I think it is reasonably safe to say that the ICO wants website owners to concentrate their main efforts on advertising tracking cookies.
    I also point out that the ICO mandarin welcomed the guide and did not contradict it.
    It’s frankly ludicrous that a third party had to step in when the body responsible for policing the regulations has singularly failed to provide clear guidance as the end of the moratorium approaches. It’s as if they want to fix the law through the courts.

  6. Richard S Says:
    May 3rd, 2012 at 11:45 am

    What about the various Social Media buttons & plugins etc.? How should website operators deal with the “privacy” aspects of these?

    For example, presumably anyone who is logged into Facebook will be tracked when visiting an external website which contains Facebook features?

    Who is responsible for gaining consent or warning the web visitor: or the external website?

  7. Mike Says:
    May 3rd, 2012 at 2:22 pm

    And what about Super Cookies/Flash Cookies/LSOs!

    ‘Delete cookies’ doesn’t touch them.

  8. Alan Says:
    May 11th, 2012 at 3:05 pm

    If a user opts NOT to accept cookies when visiting my site, how do I remember this fact so that I don’t continually pester them by asking them on each page change? Shall I store it in a cookie ?? ;-)

  9. ski wax kit uk Says:
    October 16th, 2014 at 1:01 am

    Spot on with this write-up, I seriously feel this
    amazing site needs much more attention. I’ll probably be returning to
    read more, thanks for the information!


Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published






Your email:

Your password:

remember me


Hitwise Top 10 Website 2010