You’ve probably noticed a growing number of websites using a cookie consent platform designed to capture user consent for certain cookies. Such platforms also inform visitors of the cookies and similar tracking technologies used by the website in order to make it clear what a user would be giving consent for before these are activated. While some cookies are deemed to be strictly necessary and do not require consent, if your website uses non-essential cookies and you are not asking for consent before they are dropped on users’ devices, then you are operating your website illegally.
This article gives a brief overview of the legislation surrounding website cookie consent, explains how you collect user consent and covers the different types of cookies. We’ve also included some helpful links for further information.
What is the associated legislation?
The law around cookies (and similar technologies) is found in the Privacy and Electronic Communications Regulations (PECR) 2003, which itself is based on an EU directive from 2002. Unlike the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, which are largely based on principles, the PECR is rule-based – this means not much is open to interpretation. Significantly, although the PECR has not changed much over time, the threshold for consent to be valid is now much higher, thanks to the GDPR. This is the bit that is catching out a lot of business owners that operate websites.
What are the different purposes of cookies?
In general, cookies are categorised as either strictly necessary or non-essential. The latter category could include functional cookies, performance-related, analytical or targeting (marketing). Only those that you consider to be strictly necessary (those required for the operation of your website) don’t need prior consent. For instance, cookies on an e-commerce website that are used to remember what’s in a shopping basket, are deemed to be strictly necessary.
Non-essential cookies are those used for purposes that are not directly involved in the delivery of the website. You might consider them essential to track customer behaviour, but unless they are necessary to make the website work in accordance with its purpose, then they are deemed non-essential.
Some cookies are used just for a single session, whereas others are persistent and may hang around for days, weeks or years. This may mean that the level of risk or exposure will vary but your legal responsibilities do not change.
What is needed?
Every website that is running non-essential cookies needs to have some mechanism that allows users to give consent for their use before they are dropped onto the user’s device. For the purpose of this article, I shall refer to this as a Cookie Consent Management Platform (CMP).
The cookie CMP should provide a permanent link to a ‘settings’ area where cookies can be activated or turned off if they had previously been set. Incidentally, if the options to run cookies are set to ‘active’ or ‘on’ when a user first arrives at your website, then the website is operating unlawfully. The reason is that one of the conditions for consent to be valid involves the user making an affirmative action to opt in or accept non-essential cookies. It follows that this action must take place before any cookies are dropped.
Why the fuss and does it matter?
Cookies are just part of the story
Hopefully, it is not a surprise to most people that data protection legislation is nothing new; the GDPR is really just an evolution of the DPA 1998. What has changed is the need for business owners to be a lot more transparent and accountable as to how they process personal data. This is the bit that requires original thought.
For anyone hoping that Brexit will make a difference, think again. The GDPR will be absorbed into UK law at the appropriate time, so little will change in the short term.
What we do at Ascentor
You must tell your website users if you set cookies and clearly explain what the cookies do and why. Some cookies are deemed strictly necessary and don’t need prior consent, but all other (non-essential) cookies do. You must obtain the user’s consent at the outset and in accordance with the requirements set out in the GDPR.
We believe that knowledge of the data protection legislation, and its application, goes a long way to making your life easier in the long run. In this respect, the cost of preparation and prevention is considerably less than the consequence of dealing with an investigation that could itself, result in a fine, enforcement action and/or possible reputational damage.
If you have any questions or concerns about how you are using cookies, please contact the team at Ascentor (using the box below) for an informal chat. You may also find the guidance on cookies by the Information Commissioner’s Office of help.
With thanks to our guest contributor, Data Protection Consultant, Phil Brown.