Make your cookie use compliant or “face the consequences”…

In October 2023 we published a blog about the Information Commissioner’s Office (ICO) issuing a warning to companies to ensure that cookies placed on their websites are compliant with data protection laws.

Last week the ICO reiterated this warning. They have made it clear that they are cracking down on non-compliance and issuing fines and taking other enforcement action where necessary. Crucially, the ICO expects “all websites using advertising cookies or similar technologies to give people a fair choice over whether they consent to the use of such technologies”. They are reviewing websites and are also in the process of developing an AI solution to assist in their efforts.

Here is a reminder of what cookies are and how to make your use of them compliant…

What is a cookie?

A cookie is a small text file implanted by an online provider on the device of visitors to its website. Cookies collect information about internet users, such as their names, contact details, passwords and user preferences.

You may use/come across the following types of cookies:

  1. Strictly necessary cookies: those required to operate a website;
  2. Analytical/performance cookies: those that allow a website to recognise and count its visitors and their movement within the site, such as Google Analytics;
  3. Functionality cookies: those that recognise users and remember their preferences when they return to a website; and
  4. Targeting cookies: those that record a user’s visit to a website, its specific pages and links followed.

When can you use cookies?

Cookies may only be used on a website if the site user has been provided with clear and comprehensive information about the cookie’s existence and reason for use and has given his or her consent to the use. The exception to the rule is where the cookie is strictly necessary for the operation of the website (note that a cookie that is helpful or convenient but not essential is not strictly necessary).

How do you obtain valid consent?

For all non-essential cookies, the user’s prior consent (via an unambiguous positive action) must be obtained. This can be achieved in the following ways:

  • Via a pop-up window, header bar or static information banner flagging the site’s use of cookies immediately when the user first lands on the site. Consent to such use is sought at that point.
  • This should include a link to the site’s cookie or privacy policy where information including the types of cookies used, the purpose for which they are used, whether the information obtained is shared with third parties and how consent is withdrawn, should be provided.
  • A tick box (not pre-ticked) could be used for acceptance of the cookie, or a clickable “accept” option may be utilised. This must also work well when viewed on a mobile device as well as on a desktop.
  • A website user must be able to reject non-essential cookies as easily as they can accept them, meaning the simple options of “Accept” or “Reject” are likely to comply but options of “Accept” or “Manage Preferences”, without the “Reject” option, as we see so often on websites, will not suffice.
  • You must additionally be able to demonstrate that you have obtained valid consent and maintain a record of this.

It is important to bear in mind that these rules apply to all cookies, whether the cookie processes personal data relating to individuals or not.

Please get in touch if you would like assistance in bringing your data protection compliance up to date.

Madeleine Rhodes