How Intrusive Are Your Cookies?

Ever since the ICO started giving out guidance to people on complying with the cookie law, there has been this idea of degrees of cookie intrusiveness. 

This idea is an important one because assessing how intrusive your cookies are is deemed to be an important part of deciding how you should be obtaining consent from visitors.

Yet no-one really knows what that means.  Even the ICO states that “how intrusive an activity (is) will depend to an extent on the view taken by the user“.  Much as I admire what the ICO is trying to do with its advice, this seems a little bit of a cop out to me.

The best that they or anyone else I have come across can do is talk about a ‘sliding scale’ – and though many people have a good sense of what might be at either end of that scale, it is the detail in the middle that most people are having to wrestle with when actually trying to work out their compliance strategy.

So, we at The Cookie Collective have decided to stick our heads above the parapet, draw a line in the sand etc., and come up with a definition of sorts.

However, rather than a sliding scale, which is far too woolly an approach for practical application purposes, we are going for a categorisation.

Intrusiveness Level: Zero
Any cookies that have the sole purpose of making the website work. They will always be first party, and for the most part session cookies. They would usually be used solely to enable site navigation, like maintaining a persistent user session across pages.  They are cookies that would fall under the ‘strictly necessary’ exemption for consent in the regulations.

Intrusiveness Level: Low
These are cookies that are designed to enhance the core user experience on the site, or help with measuring site performance.

So cookies for text size or colour preferences are a good example. Analytics cookies, as long as they are first party cookies and the data is not otherwise shared, would also fall into this category.

This category will always be first party, but may include both session and persistent cookies.  However if that persistent cookie has a longer life span – say more than 30 days – then it might reasonably be pushed into the next category up.

Intrusiveness Level: Medium
These are cookies that might be used to store more personally identifiable information, or can be used for limited tracking cross-site tracking.

This category would also include first party cookies that track or control the user experience within a site, in a way that might not be obvious to the user or under their control.  Especially it is a persistent cookie that can do this across multiple visits.

A cookie that enables a website to present content based on previous visits by that user, or based on personal information would be good examples.

Like saying ‘welcome back Colin‘ when the visitor hasn’t logged in on a return visit; or presenting news articles that you think will be of interest to the visitor without asking them.

This would also include third party cookies that enable certain types of plug-ins and widgets to be added to a site to enhance user functionality, but are not identifying visitors or tracking behaviour across other domains, unless they have otherwise opted-in or signed up directly with that provider.

Cookies used by many types of social networking services, and set by sharing buttons, would fall into this category.  This is because they are only able to track a user if they have previously signed in and agreed to their terms and conditions, so they don’t affect all visitors.

The Facebook Like button is a good example of this.  It can set cookies used for tracking and user profiling, but only if that user has a Facebook account.

Intrusiveness Level: High
Any cookies that are mainly intended to track and record visitor interests, without any kind of prior consent, and to aggregate that data across sites for the benefit of third parties would fall into this category.

This would include all types of cookies served by online advertising and also cookies set through the provision of embedded content that is not directly advertising related.

Embedded YouTube videos, or Google Maps set and retrieve cookies which could be used to track users across sites, even if they are not used to then serve up adverts.

The vast majority of Third Party cookies would fall into this category.

So there it is, a first attempt to classify the intrusiveness of cookies.  Of course, many of you may have different views, and we would welcome feedback and a debate on this important issue.

You just have to start somewhere.