Why do we need a new cookie notice?

The ICO recently published new guidance on the use of cookies on websites. The first question we’re all asking is why we need new guidance on the use of cookies? The answer is pretty simple – to align the ICO’s position on cookies with the GDPR.

The second question is why should we care? The answer is that you could be fined by the ICO. And, maybe more importantly, it’s a reputation issue – if you don’t comply users will wonder what else you might be doing, particularly with their personal information and data.

Aphaia, the data protection and compliance experts, have summarised the steps you’ll need to take to make sure your use of cookies is compliant:

Work out what cookies you are using
Say what cookies will be set
Explain what the cookies will do
Obtain consent for use of non-essential cookies

Work out what cookies you are using

You’ll need to do a cookies audit to work out what cookies you are using and what you are using them for. The guidelines distinguish between cookies that are strictly necessary (essential) and those that are not (non-essential) and the requirements are more stringent if you are using non-essential cookies: for those, you must get a user’s consent.

An essential cookie is one that is required for a service to function – i.e. without them, the user would be unable to undertake certain activities. If a cookie is required for a service but then has any other purpose, it will not be regarded as essential and if any cookie is collecting personal data it will require getting a user’s consent.

The following sets out the differences between essential and non-essential cookies:

Essential or ‘strictly necessary’ cookies

A cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods
Cookies that are essential to comply with the GDPR’s security principle for an activity the user has requested – for example in connection with online banking services
Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)

Non-essential or ‘non strictly necessary’ cookies

Cookies used for analytics purposes, e.g. to count the number of unique visits to a website
First and third-party advertising cookies (including those used for operational purposes related to third-party advertising, such as click fraud detection, research, product improvement, etc.)
Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

Say what cookies will be set

You need to let your website users know what cookies your site uses and why you are using them and tell them in plain English. This requirement aligns with GDPR transparency standards: to be clear and concise so users can easily understand what cookies are used.

You must also tell them about any third-party cookies your site uses or that are incorporated in the cookies you use, which also includes use of pixels and web beacons, JavaScript and any other means of storing or accessing information from other services such as online advertising networks or social media platforms.

Explain what the cookies do

This requirement is the ‘why’ – you must explain to users in a clear way why you are using the cookies you are using. The recommendation here is to group your cookies into categories with an explanation of the way each type of cookies operates, rather than providing a laundry list of names of cookies which may be meaningless to the user. For example, you may have analytics, targeting and/or functionality cookies and for each you’d briefly describe the types of things that type of cookie is used for on the site.

Obtain consent for use of non-essential cookies

If you are using non-essential cookies, you must get a user’s consent to do so and for consent to be valid:

clear information on what cookies are set and why must be given (and for third-party cookies – they must be clearly named with details of what they will do with the information collected)
a user must take a clear and positive action – like ticking a box
it must be granular – with the ability to consent to certain use and not for others – not an ‘all or nothing’ approach
it must not be implied: no pre-ticked boxes, or similar ‘on’ sliders
users must be provided with controls and must still be allowed to access the website if they don’t consent – e.g. no ‘cookie walls’

Most businesses will therefore need to change their existing cookies pop-ups to seek valid consent. For an example of a compliant cookies pop-up, see the ICO website or look at ours!

FYI the following types of cookie pop-ups are not compliant:

message boxes that are hard to read or interact with when using a mobile device
when users do not have the ability to click on any of the options available and go straight through to another part of your site without engaging with a consent box
using wording such as “By continuing to use our website, you consent to our use of cookies” followed by an “OK” or “Accept” button
an approach that emphasizes “agree” or “allow” over “reject” or “block” or that does not allow a user to make a real choice

However, we have also noticed that some sites take a slightly different approach using an ‘accept all’ button in an initial pop up containing a summary of information about the different cookies used and then linking to granular cookie consents if the user refuses “accept all”. They are following a different interpretation of the guidance as this is not granular and we’re yet to see if the ICO accepts this as compliant.

FYI, the ICO have said in their guidance that where a first-party analytics cookie is set and it results in ‘a low level of intrusiveness and low risk of harm to individuals’ they may not be particularly concerned in bringing a formal enforcement action; but have unhelpfully gone on to say that where you use first-party analytics cookies provided by a third party, this is not necessarily going to be the case. For people using Google Analytics it is unclear which category that cookie would fall into. It appears to be possible to use Google Analytics without actually sending first party cookies back to them. So, the first party cookies stay on your server and Google Analytics extracts certain information from those cookies to provide the analytics without actually needing the cookies to be sent to them. If you use Google Analytics in this limited way (it’s probably one for your tech team/web developer to confirm) and the information you collect is not intrusive and low level (i.e. practically anonymous, such as tracking visitors by city or region) then it’s probably fairly low risk to use Google Analytics with a consent default turned to ‘on’ on your cookies pop up. However, if you are not sure and your use of Google Analytics is sending information back to Google, you may want to stick to the safe option and turn your consent default to ‘off’.

The good news is that as long as the pop-ups appear the first-time cookies are set, there is no need to repeat it every time the same person visits the website. However, the ICO do recommend repeating a process at suitable intervals and also obtaining fresh consent if the use of cookies on your site changes over time.

Finally, there are a number of software providers offering compliant cookies pop up tools that you might want to investigate e.g. Cookie Hub and Civic.

And, if you’re still unsure about this new cookie policy then get in touch with us today and we’ll help make sure your website is/stays compliant.

What do our clients think?

Having an experienced lawyer as your single point of contact to manage legal matters effectively whilst providing pragmatic solutions is exactly what you get from LegalEdge
Legal & Compliance Officer - Distributed
LegalEdge’s practical approach to our day-to-day legal requirements has been second to none. I highly recommend their commercial contract support – it’s a game changer.
COO/CFO - Fluent Commerce
We’re very pleased with the work LegalEdge are doing for us. We’re getting quick and decisive responses that are really helping us move forward.
FINANCE & OPERATIONS DIRECTOR - DEPOP
Our original MSA was very one-sided and not favourable to us, with LegalEdge’s help getting this agreement in place we have significantly reduced the risk to the agency.
Operations Director – Contracts and Commercial, - The Social Element
LegalEdge has provided unparalleled legal support to our EMEA business as our in-house lawyers to help us negotiate our software license contracts successfully and quickly.
VP & GM EMEA - Wherescape
The Intellectual Property audit provided by LegalEdge was extremely thorough. Securing our IP is enabling us to scale confident that our brand is protected under the law.
Founder - Arishi
It’s not an understatement that the new contracts gave us a lot of confidence in negotiating. It sets the right tone with our clients that we know what we are doing.
Operations Director - OneSixOne
I don’t always need the technicalities of a matter; LegalEdge provide pragmatic solutions that help us to close the deal.
Co-founder - Lexonis
LegalEdge has provided excellent, commercially focused advice as part of our in-house legal team that has helped us close contracts with our customers and partners.
CEO - Diona
The fact that all their lawyers have worked inside businesses means they are commercial, pragmatic and know exactly how to prioritise what’s important.
COO - Squirro
Having made the decision to outsource our legal work, we have been extremely impressed by how quickly LegalEdge have quickly understood our business.
Commercial Director - The Social Element
LegalEdge understood our needs more than any traditional law firm had before: we were able to dip in and dip out of their services, they acted like a general counsel for us.
Co-Founder - Young Foodies
LegalEdge are awesome at taking complex ideas and turning them into simple contracts whilst streamlining processes to make it easy to do business.
Founder - Lola Tech, a DataArt company
The LegalEdge team just intuitively understood our business and needs, picked up the matters that needed dealing with, and ran with them.
General counsel - The Engine Group
Working with a professional squad like LegalEdge on the legal stuff means, as CFOs, we can focus on what we’re good at – the numbers!
Founder - Emergeone
LegalEdge were brilliant from start to finish in helping us to develop a proper brand strategy and implementing it.
CEO - Placemake.io
LegalEdge have been fantastic advisers to our business. Between shareholder agreements & fundraise, Trademark & IP, and commercial agreements, we deeply value their guidance.
Co-Founder - Days Brewing
Having worked closely with LegalEdge I have no hesitation in recommending them to any business requiring smart, articulate and professional legal counsel.
Founder - Low Carbon Group
Working with LegalEdge has been a breath of fresh air! They have provided a unique, entrepreneurial approach to legal services within a rapidly growing organisation.
COO and Co-Founder - hybris GmbH (now a SAP company)
The support we have received has been first class – from day one. LegalEdge have gone above and beyond to truly understand our business.
Director EMEA Operations - Stella & Dot
The ideal solution for the busy in-house counsel who is unable to add a permanent head as you have the ability to flex support without the need to rely on expensive law firms.
Vice President and EMEA Managing Counsel - World-Check [now Thomson Reuters]
LegalEdge’s experience has proven invaluable as they have picked up, negotiated and completed contracts with commercial aptitude.
Group Counsel - Funding Circle
What sets LegalEdge apart is that they focus on problem solving and keeping issues in perspective. They know and understand our business and the array of legal issues we face.
Partner - Portal Tech Reply
As our trusted go to lawyers for complex contract queries and negotiations, LegalEdge know how to focus on the things that matter and to get deals done.
Commercial Director - Connect Managed
The Oxial team was very impressed with the quality of the contracts that the LegalEdge team produced for our business and with their responsive and collaborative approach.
COO - Hammer Team & Oxial

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_32854648_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

By LegalEdge News Nov 01, 2019

Why do we need a new cookie notice?

What do our clients think?

Contact

Navigate Site

Stay In Touch