How We Classify Cookies
Although there are no specific requirements for how this information should be given, there is general agreement that different types of cookies can be classified into groups according to their purpose.
The most common classification system in use today, at least in English language websites, was proposed and developed by The UK International Chamber of Commerce (ICC).
Their system relies on four classifications:
- Strictly Necessary Cookies
- Performance Cookies
- Functionality Cookies
- Targeting or Advertising Cookies
The ICC have produced a guide for organisations in how to use of these classifications.
Although this system is not perfect, and open to interpretation, it is the best current example of an attempt to create a common, non-technical language describing cookies to site visitors.
The aim was to promote the idea that consumer education and awareness would be greatly enhanced by having a common language about cookies that consumers could understand, thus enabling them to make better informed decisions.
We support this aim and have broadly adopted their categorisation system. On top of this we have added a layer of simple rules that enable clearer decisions to be made in certain edge case scenarios, and a methodology for best practice classification where further information about the use of particular cookies is not otherwise available.
This additional layer is courtesy of the work done by Optanon, whose data powers the majority of this service. Below are explanations of each category, including the original ICC definition and Optanon additional explanatory notes.
Strictly Necessary Cookies
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.
These are all the cookies without which the website could not perform basic functions. They may be set automatically when pages load, or as a result of a user request that cannot be fulfilled without the use of the cookie. Generally these are session cookies that expire on closing the browser but not always.
This is the most important category of cookies, as it is the only one that is recognised by the legislation. The law allows that any Strictly Necessary cookies are exempted from any requirements for user consent. It is therefore generally to a site owners’ advantage to have as many cookies as possible fall into this category.
However, there are also guidelines that have been laid down that restrict what can be included in this category. The Article 29 Working Party, which is an EU body which advises on the interpretation of the EU cookie directive, has produced detailed examples of the types of cookies that can be included in this category. These are intended to create a narrow definition such that cookies which may be seen as necessary or essential by the organisation that owns a website cannot be included unless they are technically necessary.
So if a cookie is there to support particular interactive functionality which adds value to the user but without which the site can still function, then this would be classified as a Functionality Cookie. This is also true if the cookie is used to remember preferences or settings, or a user identity between visits.
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
These cookies are used to provide site owners with statistical information about their site – which is generally used for performance measurement and improvement. This is generally also known as ‘Analytics’. It includes activities like counting page visits, dwell time, bounce rates, technologies used to access the site, and page load speeds.
Generally these will be first party cookies, and a mix of session and persistent cookies. Sometimes the services are provided by third parties and specialised software – which can use either first or third party cookies.
Some third party software services embedded in a site may use analytics software services to measure the performance of their services. In such cases we would classify these cookies as appropriate to the services or functionality provided by the third party, rather than automatically list them as Performance Cookies. This is because they are used by the third party, rather than by the site the visitor is accessing, and therefore the data they collect can be put to purposes unknown by the site owner, especially if used in combination with other cookies set by the third party.
These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
These cookies are generally there to support site functionality that is visible or advantageous to the user or their experience of the site. This includes elements of persistent personalisation (remembered on subsequent visits), and enhanced functionality like web chat services, surveys, commenting and rating systems, and user preferences. They are generally a mix of first and third party, session and persistent cookies.
Social Sharing Cookies as Functionality Cookies: Buttons and widgets provided by social network services and other third parties commonly set cookies which enable visitors to post links to, ‘Like’ or comment on a site through their social networks.
Cookies set by these types of services can be difficult to categorise, as whilst they enable user functionality to be added to the site, they often also allow tracking of visitors across other sites that have the same sorts of functionality embedded in them, and therefore they could be used for targeting or advertising, either by the company in question, or further parties it may make the data available to. In many cases the cookies are known to be used in this way.
Decisions on whether to categorise these types of cookies as Functionality or Targeting, depends on a mixture of factors. However, where the setting of cookies relies on the user having an active login or account with the third party service, before visiting or interacting with the target domain, then we would generally classify them as Functionality cookies. This is because when signing up to the third party, users would have agreed to the terms and conditions of that service. Therefore, the setting of those cookies, through the site being visited, is part of the functionality of delivering that service, even if that functionality includes advertising.
In most other cases we classify such cookies as Targeting.
These cookies are used to deliver adverts more relevant to you and your interests They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
These types of cookies are set by digital advertising businesses for the prime or sole purpose of managing the performance of adverts, displaying adverts, and/or building user profiles to determine the display of adverts elsewhere.
These will almost always be third party cookies and mostly persistent. They can be set even if the site itself does not display advertising. In some cases cookies will be set so the site being visited can target the user with adverts elsewhere after they have left, a practice known as re-marketing.
We also place in this category third party social sharing, content or functionality services where there is a significant element of data collection by the third party for either advertising or profiling of visitors, and where this is done without the visitor having to have previously signed up to the services of the third party. The advertising could take place within the embedded service, or elsewhere.