Getting cookie consent

If you’re not getting consent, your website may not be compliant

Defining what a cookie is

A cookie is a pretty small file. It’s downloaded to a computer, your computer, to be exact, when you access a website. If you accept this, it will remember the device you’ve used and store information about your preferences and behaviour as you navigate the site. There are rules that websites must follow to comply with what is called the Cookie Law.

What are the rules?

Your website must:

• Notify people that cookies are present
• Clearly detail what the cookies are going to do and why
• Gain the website users’ consent to store that cookie on their device

Your user doesn't need to do this each time they visit your site; they simply need to accept cookies the first time they get the notification. That is unless they are using incognito/private browsing modes.

Multiple people in the same household, for example, have access to the same devices. If there’s a chance that you’re dealing with multiple users, it might be wise to repeat the process at given time periods.

If your cookie policy changes, you should also inform your users and regain consent again.

Is it just about cookies?

The Cookie Law covers anyone storing user information or information about their device.

This applies to things like Local Shared Objects (known as Flash cookies) and might extend to other technologies like smartphones, smart TVs, smartwatches, tablets and even apps.

Spyware or any covert software used for surveillance which downloads to a device to track a users’ activity without them knowing is prohibited.

What do you tell your users?

There is no template as to what you should tell your users because your cookie use will be different. The requirement is that you provide transparent and understandable information about what you are doing with the cookie, the users’ information and why. You should explain how your cookies work and that explanation itself should be easily accessible. If your users cannot easily understand your cookie use, you could face a fine. You must consider the language and use the appropriate level of detail for your audience.

This is incredibly similar to the GDPR transparency requirement regarding privacy notices.

What is consent?

Consent has to be given freely. It must be informed and specific to what the data will be used for. There should be no level of ambiguity and consent must be given through positive action. This includes clicking a link or ticking a box. This should clearly indicate that the user has given you their consent.

You cannot claim consent if your cookie information is hard to find, overly-complex or rarely seen by your users. You cannot place any non-essential cookies on your homepage prior to gaining user consent.

Consent doesn’t have to be explicit. As we’ve said, though, it does need to be given via positive action. You have to be unmovingly confident your user understands how their actions will be related to the cookies they’re consenting to. Some sites often pose this as assumed when the user continues to use the site, but this is not sufficient. Consent should be given freely and your user should be able able to easily disable any non-essential cookies.

Specific care should be given to informing your user about the more intrusive cookies, namely, those collecting personal data revolving around their behaviour or things like financial or health data. The ICO are particularly stringent about this.

Do I need consent from subscribers?

Yes.

You may not know the difference when they land on your website, but you will know if you have consent or not.

There are blurred lines on which gets precedence. If your subscriber or user has previously given consent, but the current user of that device does not give consent, you’ve got a conflict. And, as we said, in households, this could happen. It, therefore, falls on the most recent choice. This means constant respect for the current user preference, even where you’re not sure if they’re a subscriber and have had different preferences before.

Is this always the case?

Not always.

• If the cookie is explicitly for carrying out a communication transmission over an electronic comms network, or
• If the cookie is needed for providing an ‘information society service’, namely, a service provided over the internet that is requested by the user (or subscriber).

If that doesn’t mean much to you, the real-world examples are:

This means you are unlikely to need consent for:

• Cookies that enable the site to remember the goods someone wanted to purchase by adding them into their basket or go ahead to check out.
• Session cookies that provide essential security to comply with any data protection requirements for their online service. Think online banking.
• Load balancing bookies that load the content of your page quickly by spreading the workload over several computers.

What about anonymous data?

Yes, it all still applies.

Cookies processing personal data mean greater risks to security than anonymous data, but the law applies to all cookies.

If the cookie data isn’t anonymous, you still have to consider the DPA and GDPR.

You might need to think about whether you actually could use anonymous data instead as a means of complying with data protection requirements; that personal data is not excessive, relevant and adequate. If you’re not using the data to provide a service to that user, this is relevant as you might simply want to know the number of visitors to your site, but nothing personal about them.

Hope that whistlestop tour on cookies helps!

We’ve been working hard to ensure we’re constantly respecting the privacy of the data we hold, you can find out more about that here, or you can contact us to discuss your own needs.