Are you cookie compliant?

cookie compliant

Most retailers use cookies on their websites. If you track how users use your website, remember what’s in an online shopping basket, or use targeted advertising based on a user’s online behaviour, then you’ll be using cookies. 

Cookies and similar technologies (such as tracking pixels used to monitor responses to advertising emails) are often overlooked when checking for regulatory compliance. However, we’ve recently seen an increasing number of claims for compensation from individuals alleging that cookies have been set on their device when they visited a website in breach of the relevant cookies legislation. When you consider the number of visitors to your website, such compensation claims have the potential to be costly. You could also be reported to the UK’s data protection authority, the Information Commissioner’s Office (ICO), for breach of the UK data protection laws if cookies that process personal data are set without complying with the relevant requirements. 

So, what is a cookie and how do you comply with the law on cookies? 

Cookies are text files containing small amounts of information which a website operator or a third party, such as Google, place on a user’s device when they visit a website to collect information about the user’s visits. Typically, retail websites use analytical cookies (such as Google Analytics) to collect information about how the site is used and advertising cookies to deliver targeted advertising to users based on their browsing habits. 

The ICO has issued guidance on the use of cookies and similar technologies. This explains that in order to set cookies, users are to be given clear and comprehensive information about the purposes for which the cookies are used, and their consent obtained. These information and consent requirements apply to all cookies except “strictly necessary” cookies. This exemption is construed narrowly; an example given by the ICO is remembering purchases added to a shopping basket when a user browses the website in the same session. However, the exemption does not cover analytical or advertising cookies when the information and consent requirements apply.  

The ICO’s cookies guidance sets out the information on non-essential cookies that is to be provided to users including the cookies used, their purposes, duration and details of any third parties who may process information stored in or accessed from the user’s device. This information should be explained in a way that users will understand and be provided to users before they consent to cookies being set. 

The consent of users to the setting of non-essential cookies is to be freely given, specific, informed and unambiguous.  In practice, this means that:

  • implied consent through inaction is insufficient; 
  • continuing to use a website does not constitute consent; 
  • there can be no pre-ticked boxes or sliders set to ‘on’ as a default for the setting of cookies; 
  • there needs to be a clear affirmative action (opt-in) such as an ‘I accept’ button which is clicked by the user; 
  • the user should be given a choice whether to accept (or not) different types of cookies, such as analytical cookies or advertising cookies; 
  • no non-essential cookies can be placed on the landing page until user consent is obtained; 
  • any third party placing cookies is to be identified and an explanation provided of what they will do with the information; and
  • a user must be able to easily withdraw consent at any time and not have to visit different websites and take different actions to disable cookies. 

A cookie banner is usually used on the home page of a website to meet the information and consent requirements to the setting of non-essential cookies. This banner explains that cookies are used on the website with a link to a cookies policy giving the required cookies information. The cookie bar typically gives the user an option to click to agree to the use of cookies or to reject them or to manage cookies. This latter option gives the user the choice to consent (or not) to different categories of cookies such as analytics or advertising cookies. The ICO’s cookies guidance makes it clear that the “agree” option on the cookie bar cannot be emphasised or made more prominent than the other options as this could influence users towards acceptance. 

Next steps

Many websites are historic and may not have been reviewed for some time. Against a background of increasing compensation claims from individuals when consent has not been obtained to the setting of non-essential cookies, we recommend: 

  • conducting a cookie audit to identify the cookies used on your website and their purposes; 
  • removing any cookies which are no longer useful or used; 
  • updating your cookies policy as necessary to ensure that users are given the correct information; 
  • implementing, if necessary, a sufficiently prominent cookie bar to obtain consent to the setting of non-essential cookies;  
  • implementing a cookie consent solution for users to be able to manage their preferences; 
  • ensuring that users can disable cookies easily; and
  • keeping records of consent to cookies. 

The ICO’s cookies guidance gives practical advice on conducting a cookies audit and the practical steps you can take to ensure that your website is cookie compliant. 

By taking steps towards compliance, retailers can ensure that their use of cookies does not give individuals an appetite for a claim!  

Dr Patricia Jones is a data protection lawyer at law firm Pannone Corporate.

Further reading from Pannone Corporate

Take a look at these fantastic articles from Pannone Corporate:
It’s all in the domain
How to win friends (followers) and influence people