Cookies and similar technologies (such as tracking pixels used to monitor responses to advertising emails) are often overlooked when checking for regulatory compliance. However, we’ve recently seen an increasing number of claims for compensation from individuals alleging that cookies have been set on their device when they visited a website in breach of the relevant cookies legislation. When you consider the number of visitors to your website, such compensation claims have the potential to be costly. You could also be reported to the UK’s data protection authority, the Information Commissioner’s Office (ICO), for breach of the UK data protection laws if cookies that process personal data are set without complying with the relevant requirements.
So, what is a cookie and how do you comply with the law on cookies?
Cookies are text files containing small amounts of information which a website operator or a third party, such as Google, place on a user’s device when they visit a website to collect information about the user’s visits. Typically, retail websites use analytical cookies (such as Google Analytics) to collect information about how the site is used and advertising cookies to deliver targeted advertising to users based on their browsing habits.
The ICO’s cookies guidance sets out the information on non-essential cookies that is to be provided to users including the cookies used, their purposes, duration and details of any third parties who may process information stored in or accessed from the user’s device. This information should be explained in a way that users will understand and be provided to users before they consent to cookies being set.
The consent of users to the setting of non-essential cookies is to be freely given, specific, informed and unambiguous. In practice, this means that:
- implied consent through inaction is insufficient;
- continuing to use a website does not constitute consent;
- there can be no pre-ticked boxes or sliders set to ‘on’ as a default for the setting of cookies;
- there needs to be a clear affirmative action (opt-in) such as an ‘I accept’ button which is clicked by the user;
- the user should be given a choice whether to accept (or not) different types of cookies, such as analytical cookies or advertising cookies;
- no non-essential cookies can be placed on the landing page until user consent is obtained;
- any third party placing cookies is to be identified and an explanation provided of what they will do with the information; and
- a user must be able to easily withdraw consent at any time and not have to visit different websites and take different actions to disable cookies.
Many websites are historic and may not have been reviewed for some time. Against a background of increasing compensation claims from individuals when consent has not been obtained to the setting of non-essential cookies, we recommend:
- conducting a cookie audit to identify the cookies used on your website and their purposes;
- removing any cookies which are no longer useful or used;
- updating your cookies policy as necessary to ensure that users are given the correct information;
- implementing, if necessary, a sufficiently prominent cookie bar to obtain consent to the setting of non-essential cookies;
- implementing a cookie consent solution for users to be able to manage their preferences;
- ensuring that users can disable cookies easily; and
- keeping records of consent to cookies.
The ICO’s cookies guidance gives practical advice on conducting a cookies audit and the practical steps you can take to ensure that your website is cookie compliant.
Dr Patricia Jones is a data protection lawyer at law firm Pannone Corporate.
Further reading from Pannone Corporate
Take a look at these fantastic articles from Pannone Corporate:
It’s all in the domain
How to win friends (followers) and influence people
Melanie is a partner at law firm, Pannone Corporate, and works as part of the Intellectual Property Dispute Resolution team. She specialises in the resolution of disputes relating to intellectual property, reputation management, advertising, data protection, social media and trade libel.
Her focus is on the enforcement and protection of clients’ intellectual property and reputation, as well as brand strategy and management. She has particular experience in retail, fashion, manufacturing, technology, media and the creative industries.
Melanie is a member of the Chartered Institute of Trade Mark Attorney and the Licensing Executives Society.
For more information, visit https://pannonecorporate.com.