In line with recent changes in European legislation, UK law now requires website
operators to ask for a website user's permission when placing certain kinds of cookie
on their devices for the first time. Where consent is required, the law states that it
should be "informed consent". This increases the onus on websites to ensure that
visitors understand what cookies are and why website operators and others want to
The Information Commissioner's Office (ICO) has published detailed guidance on the
law and a number of other organisations have published information about the use of
cookies by businesses.
Business organisation the International Chambers of Commerce (ICC) has also published
advice regarding the cookie law.
Below is some reference information on cookies and the categories they fall into.
What is a cookie?
Cookies are text files containing small amounts of information which are downloaded
to your device when you visit a website. Cookies are then sent back to the originating
website on each subsequent visit, or to another website that recognises that cookie.
Cookies are useful because they allow a website to recognise a user's device.
You can find more information about cookies at: www.allaboutcookies.org and
www.youronlinechoices.eu for a video about cookies
Cookies do lots of different jobs, like letting you navigate between pages efficiently,
remembering your preferences, and generally improve the user experience.
They can also help to ensure that adverts you see online are more relevant to you
and your interests.
Category 1: strictly necessary cookies
These cookies are essential in order to enable you to
move around the website and use its features, such as
accessing secure areas of the website. Without these
cookies services you have asked for, like shopping
baskets or e-billing, cannot be provided.
No user consent is required for category 1 cookies.
- Remembering previous actions (e.g. entered text) when
navigating back to a page in the same session.
- Managing and passing security tokens to different services
within a website to identify the visitor's status (e.g. logged in
- To maintain tokens for the implementation of secure areas of
- To route customers to specific versions/applications of a
service, such as might be used during a technical migration
Category 2: performance cookies
These cookies collect information about how visitors use a website, for instance
which pages visitors go to most often, and if they get error messages from web pages.
These cookies don't collect information that identifies a visitor. All information these
cookies collect is aggregated and therefore anonymous. It is only used to improve how
a website works.
Consent for cookies in this category, according to the ICC, can be obtained by placing
appropriate wording in the site Terms and Conditions (most professional sites will
have this already). So, no opt-in required.
- Web analytics — where the data collected is limited to the
website operator's use only, for managing the performance
and design of the site. These cookies can be third-party
cookies but the information must be for the exclusive use of
the publisher of the website visited.
- Ad response rates — where the data is used exclusively for
calculating response rates (click-through rates) to improve
the effectiveness of advertising purchased on a site external
to the destination website. If the same cookie is used to
retarget adverts on a third-party site this would fall outside
the performance category (see Category 4)
- Affiliate tracking — where the cookie is used to let affiliates
know that a visitor to a site visited a partner site some time
later and if that visit resulted in the use or purchase of a
product or service, including details of the product and
service purchased. Affiliate tracking cookies allow the
affiliate to improve the effectiveness of their site. If the same
cookie is used to retarget adverts this would fall outside the
performance category (see Category 4)
- Error management — Measuring errors presented on a
website, typically this will be to support service improvement
or complaint management and will generally be closely
linked with web analytics.
- Testing designs — Testing variations of design, typically using
A/B or multivariate testing, to ensure a consistent look and
feel is maintained for the user of the site in the current and
Category 3: functionality cookies
These cookies allow the website to remember choices you make (such as your user name,
language or the region you are in) and provide enhanced, more personal features.
For instance, a website may be able to provide you with local weather reports or traffic
news by storing in a cookie the region in which you are currently located. These cookies
can also be used to remember changes you have made to text size, fonts and other parts
of web pages that you can customise. The information these cookies collect cannot track
your browsing activity on other websites.
- Remembering settings a user has applied to a website such
as layout, font size, preferences, colours etc.
- Remembering a choice such as not to be asked again to fill in
- Detecting if a service has already been offered, such as
offering a tutorial on future visits to the website.
- Providing information to allow an optional service to function
such as offering a live chat session.
- Fulfilling a request by the user such as submitting a
Category 4: targeting cookies or advertising cookies
These cookies are used to deliver adverts more relevant to you and your interests.
They are also used to limit the number of times you see an advertisement as well as
help measure the effectiveness of the advertising campaign. They are usually placed
by advertising networks with the website operator's permission. They remember that
you have visited a website and this information is shared with other organisations
such as advertisers. Quite often targeting or advertising cookies will be linked to
site functionality provided by the other organisation.
- Cookies placed by advertising networks to collect browsing
habits in order to target relevant adverts to the user. The site
the user is visiting need not actually be serving adverts, but
often this will also be the case.
- Cookies placed by advertising networks in conjunction
with a service implemented by the website to increase
functionality, such as commenting on a blog, adding a site
to the user's social network, providing maps or counters of
visitors to a site.