There have been numerous instances recently of data privacy regulators issuing organisations with fines for non-compliantly utilising cookies on their websites, without the user’s prior consent. It has been made clear that the act by the user of choosing to reject cookies must be made as simple as accepting them.
What is a cookie?
A cookie is a small text file implanted by an online provider on the device of visitors to its site. Cookies collect information about internet users, such as their names, contact details, passwords and user preferences.
You may come across the following types of cookies:
1. Strictly necessary cookies: those required to operate a website;
2. Analytical/performance cookies: those that allow a website to recognise and count its visitors and their movement within the site, such as Google Analytics;
3. Functionality cookies: those that recognise users and remember their preferences when they return to a website; and
4. Targeting cookies: those that record a user’s visit to a website, its specific pages and links followed.
When can you use cookies?
Cookies may only be used on a website if the site user has been provided with clear and comprehensive information about the cookie’s existence and reason for use and has given his or her consent to the use.
The exception to the rule is where the cookie is strictly necessary for the operation of the website (note that a cookie that is helpful or convenient but not essential is not strictly necessary).
How do you obtain valid consent?
For all non-essential cookies, the user’s prior consent (via an unambiguous positive action) must be obtained. This can be achieved in the following ways:
• You may decide to use a pop-up window, header bar or static information banner to flag the site’s use of cookies immediately when the user first land on the site and seek consent to such use at that point.
• This should include a link to the site’s cookie or privacy policy where information including the types of cookies used, the purpose for which they are used, whether the information obtained is shared with third parties and how consent is withdrawn, should be provided.
• A tick box (not pre-ticked) could be used for acceptance of the cookie, or a clickable “accept” option may be utilised. This must also work well when viewed on a mobile device as well as on a desktop.
• A website user must be able to reject non-essential cookies as easily as they can accept them, meaning the simple options of “Accept” or “Reject” are likely to comply but options of “Accept” or “Manage Preferences”, without the “Reject” option, will not suffice.
• You must additionally be able to demonstrate that you have obtained valid consent and maintain a record of this.
It is important to bear in mind that these rules apply to all cookies, whether the cookie processes personal data or not.
If you would like further advice on safely using cookies or implementing a compliant website cookie banner and cookie policy, please get in touch.
Madeleine Rhodes
Email: MRhodes@redfernlegal.com
