If your cookie compliance isn’t in order, expect a call from the ICO!

The Information Commissioner’s Office (ICO) has issued a warning that where cookies are being used by companies in a way that is not compliant with data privacy laws, they “can expect to see us come calling”. These ominous words act as a reminder for companies to check their cookie policies as well as how personal data is collected via cookies in practice on websites and apps and ensure all is in order.

Rules around cookies are expected to become less stringent when the new Data Protection and Digital Information (No 2) Bill is passed in 2024, however the ICO has made it clear that awaiting these changes is no excuse for not behaving compliantly with laws as they stand now. Fines under data protection laws for non-compliance can be hefty.

What is a cookie?

A cookie is a small text file implanted by an online provider on the device of visitors to its site. Cookies collect information about internet users, such as their names, contact details, passwords and user preferences.

You may come across the following types of cookies:

  1. Strictly necessary cookies: those required to operate a website;
  2. Analytical/performance cookies: those that allow a website to recognise and count its visitors and their movement within the site, such as Google Analytics;
  3. Functionality cookies: those that recognise users and remember their preferences when they return to a website; and
  4. Targeting cookies: those that record a user’s visit to a website, its specific pages and links followed. 

When can you use cookies?

Cookies may only be used on a website if the site user has been provided with clear and comprehensive information about the cookie’s existence and reason for use and has given his or her consent to the use. The exception to the rule is where the cookie is strictly necessary for the operation of the website (note that a cookie that is helpful or convenient but not essential is not strictly necessary).

How do you obtain valid consent?

For all non-essential cookies, the user’s prior consent (via an unambiguous positive action) must be obtained. This can be achieved in the following ways:

  • Via a pop-up window, header bar or static information banner flagging the site’s use of cookies immediately when the user first lands on the site. Consent to such use is sought at that point.
  • This should include a link to the site’s cookie or privacy policy where information including the types of cookies used, the purpose for which they are used, whether the information obtained is shared with third parties and how consent is withdrawn, should be provided.
  • A tick box (not pre-ticked) could be used for acceptance of the cookie, or a clickable “accept” option may be utilised. This must also work well when viewed on a mobile device as well as on a desktop.
  • A website user must be able to reject non-essential cookies as easily as they can accept them, meaning the simple options of “Accept” or “Reject” are likely to comply but options of “Accept” or “Manage Preferences”, without the “Reject” option, as we see so often on websites, will not suffice.
  • You must additionally be able to demonstrate that you have obtained valid consent and maintain a record of this.

It is important to bear in mind that these rules apply to all cookies, whether the cookie processes personal data or not.

Madeleine Rhodes  MRhodes@redfernlegal.com