Request A Callback
By LegalEdge News

Why do we need a new cookie notice?


The ICO recently published new guidance on the use of cookies on websites.  The first question we’re all asking is why we need new guidance on the use of cookies? The answer is pretty simple – to align the ICO’s position on cookies with the GDPR.

The second question is why should we care? The answer is that you could be fined by the ICO. And, maybe more importantly, it’s a reputation issue – if you don’t comply users will wonder what else you might be doing, particularly with their personal information and data.

Aphaia, the data protection and compliance experts, have summarised the steps you’ll need to take to make sure your use of cookies is compliant:

  1. Work out what cookies you are using
  2. Say what cookies will be set
  3. Explain what the cookies will do
  4. Obtain consent for use of non-essential cookies

 

  1. Work out what cookies you are using

You’ll need to do a cookies audit to work out what cookies you are using and what you are using them for.  The guidelines distinguish between cookies that are strictly necessary (essential) and those that are not (non-essential) and the requirements are more stringent if you are using non-essential cookies: for those, you must get a user’s consent.

An essential cookie is one that is required for a service to function – i.e. without them, the user would be unable to undertake certain activities. If a cookie is required for a service but then has any other purpose, it will not be regarded as essential and if any cookie is collecting personal data it will require getting a user’s consent.

The following sets out the differences between essential and non-essential cookies:

Essential or ‘strictly necessary’ cookies

  • A cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods
  • Cookies that are essential to comply with the GDPR’s security principle for an activity the user has requested – for example in connection with online banking services
  • Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)

Non-essential or ‘non strictly necessary’ cookies

  • Cookies used for analytics purposes, e.g. to count the number of unique visits to a website
  • First and third-party advertising cookies (including those used for operational purposes related to third-party advertising, such as click fraud detection, research, product improvement, etc.)
  • Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

 

  1. Say what cookies will be set

You need to let your website users know what cookies your site uses and why you are using them and tell them in plain English. This requirement aligns with GDPR transparency standards: to be clear and concise so users can easily understand what cookies are used.

You must also tell them about any third-party cookies your site uses or that are incorporated in the cookies you use, which also includes use of pixels and web beacons, JavaScript and any other means of storing or accessing information from other services such as online advertising networks or social media platforms.

 

  1. Explain what the cookies do

This requirement is the ‘why’ – you must explain to users in a clear way why you are using the cookies you are using.  The recommendation here is to group your cookies into categories with an explanation of the way each type of cookies operates, rather than providing a laundry list of names of cookies which may be meaningless to the user.  For example, you may have analytics, targeting and/or functionality cookies and for each you’d briefly describe the types of things that type of cookie is used for on the site.

 

  1. Obtain consent for use of non-essential cookies

If you are using non-essential cookies, you must get a user’s consent to do so and for consent to be valid:

  • clear information on what cookies are set and why must be given (and for third-party cookies – they must be clearly named with details of what they will do with the information collected)
  • a user must take a clear and positive action – like ticking a box
  • it must be granular – with the ability to consent to certain use and not for others – not an ‘all or nothing’ approach
  • it must not be implied: no pre-ticked boxes, or similar ‘on’ sliders
  • users must be provided with controls and must still be allowed to access the website if they don’t consent – e.g. no ‘cookie walls’

Most businesses will therefore need to change their existing cookies pop-ups to seek valid consent.  For an example of a compliant cookies pop-up, see the ICO website or look at ours!

FYI the following types of cookie pop-ups are not compliant:

  • message boxes that are hard to read or interact with when using a mobile device
  • when users do not have the ability to click on any of the options available and go straight through to another part of your site without engaging with a consent box
  • using wording such as “By continuing to use our website, you consent to our use of cookies” followed by an “OK” or “Accept” button
  • an approach that emphasizes “agree” or “allow” over “reject” or “block” or that does not allow a user to make a real choice

However, we have also noticed that some sites take a slightly different approach using an ‘accept all’ button in an initial pop up containing a summary of information about the different cookies used and then linking to granular cookie consents if the user refuses “accept all”. They are following a different interpretation of the guidance as this is not granular and we’re yet to see if the ICO accepts this as compliant.

FYI,  the ICO have said in their guidance that where a first-party analytics cookie is set and it results in ‘a low level of intrusiveness and low risk of harm to individuals’ they may not be particularly concerned in bringing a formal enforcement action; but have unhelpfully gone on to say that where you use first-party analytics cookies provided by a third party, this is not necessarily going to be the case.  For people using Google Analytics it is unclear which category that cookie would fall into.  It appears to be possible to use Google Analytics without actually sending first party cookies back to them. So, the first party cookies stay on your server and Google Analytics extracts certain information from those cookies to provide the analytics without actually needing the cookies to be sent to them.  If  you use Google Analytics in this limited way (it’s probably one for your tech team/web developer to confirm) and the information you collect is not intrusive and low level (i.e. practically anonymous, such as tracking visitors by city or region) then it’s probably fairly low risk to use Google Analytics with a consent default turned to ‘on’ on your cookies pop up.  However, if you are not sure and your use of Google Analytics is sending information back to Google, you may want to stick to the safe option and turn your consent default to ‘off’.

The good news is that as long as the pop-ups appear the first-time cookies are set, there is no need to repeat it every time the same person visits the website. However, the ICO do recommend repeating a process at suitable intervals and also obtaining fresh consent if the use of cookies on your site changes over time.

Finally, there are a number of software providers offering compliant cookies pop up tools that you might want to investigate e.g. Cookie Hub and Civic.

And, if you’re still unsure about this new cookie policy then get in touch with us today and we’ll help make sure your website is/stays compliant.

Back To Blog Our Services
  • Share: