Thursday, February 16, 2012
Ever since the ICO started giving out guidance to people on
complying with the cookie law, there has been this idea of degrees
of cookie intrusiveness.
This idea is an important one because assessing how intrusive
your cookies are is deemed to be an important part of deciding how
you should be obtaining consent from visitors.
Yet no-one really knows what that means. Even the ICO
states that "how intrusive an activity (is) will depend to an
extent on the view taken by the user". Much as I admire
what the ICO is trying to do with its advice, this seems a little
bit of a cop out to me.
The best that they or anyone else I have come across can do is
talk about a 'sliding scale' - and though many people have a good
sense of what might be at either end of that scale, it is the
detail in the middle that most people are having to wrestle with
when actually trying to work out their compliance strategy.
So, we at The Cookie Collective have decided to stick our heads
above the parapet, draw a line in the sand etc., and come up with a
definition of sorts.
However, rather than a sliding scale, which is far too woolly an
approach for practical application purposes, we are going for a
Intrusiveness Level: Zero
Any cookies that have the sole purpose of making the website work.
They will always be first party, and for the most part session
cookies. They would usually be used solely to enable site
navigation, like maintaining a persistent user session across
pages. They are cookies that would fall under the 'strictly
necessary' exemption for consent in the regulations.
Intrusiveness Level: Low
These are cookies that are designed to enhance the core
user experience on the site, or help with measuring site
So cookies for text size or colour preferences are a good
example. Analytics cookies, as long as they are first party cookies
and the data is not otherwise shared, would also fall into this
This category will always be first party, but may include both
session and persistent cookies. However if that persistent
cookie has a longer life span - say more than 30 days - then it
might reasonably be pushed into the next category up.
Intrusiveness Level: Medium
These are cookies that might be used to store more personally
identifiable information, or can be used for limited tracking
This category would also include first party cookies that track
or control the user experience within a site, in a way that might
not be obvious to the user or under their control. Especially
it is a persistent cookie that can do this across multiple
A cookie that enables a website to present content based on
previous visits by that user, or based on personal information
would be good examples.
Like saying 'welcome back Colin' when the visitor
hasn't logged in on a return visit; or presenting news articles
that you think will be of interest to the visitor without asking
This would also include third party cookies that enable certain
types of plug-ins and widgets to be added to a site to enhance user
functionality, but are not identifying visitors or tracking
behaviour across other domains, unless they have otherwise opted-in
or signed up directly with that provider.
Cookies used by many types of social networking services, and
set by sharing buttons, would fall into this category. This
is because they are only able to track a user if they have
previously signed in and agreed to their terms and conditions, so
they don't affect all visitors.
The Facebook Like button is a good example of this. It can
set cookies used for tracking and user profiling, but only if that
user has a Facebook account.
Intrusiveness Level: High
Any cookies that are mainly intended to track and record visitor
interests, without any kind of prior consent, and to aggregate that
data across sites for the benefit of third parties would fall into
This would include all types of cookies served by online
advertising and also cookies set through the provision of embedded
content that is not directly advertising related.
Embedded YouTube videos, or Google Maps set and retrieve cookies
which could be used to track users across sites, even if they are
not used to then serve up adverts.
The vast majority of Third Party cookies would fall into this
So there it is, a first attempt to classify the intrusiveness of
cookies. Of course, many of you may have different views, and
we would welcome feedback and a debate on this important issue.
You just have to start somewhere.