Cookie ban(ner)

For a long time organisations have been very generous with their cookies. Website and app owners have been setting cookies on our devices, often without us even realising. But most cookies require the device user’s prior consent otherwise they are unlawful. Read on to find out when you need consent to set cookies and when you don’t.

By Claire Heaphy

The Privacy Compliance Hub Information Officer

Cookies are small text files which are downloaded onto devices such as computers, smart phones, and other connected devices when a website, web browser or app is accessed.  They enable websites to work and can allow them to operate more effectively as well as provide information to website owners. Many organisations have been relying on implied consent and default settings switched to ‘on’ to set cookies on people’s devices.  This does not comply with the strict definition of ‘consent’ in the GDPR. Organisations must have valid consent to set cookies or leave themselves open to fines. 

Cookie law 

The law on cookies is primarily governed by the Privacy and Electronic Communications Regulations 2003 ‘PECR’.  In addition, if the use of cookies involves processing personal information, the GDPR applies to that processing.  Note that PECR must be complied with for all cookies whether they involve processing personal information or not.

PECR does not prohibit the use of cookies or similar technologies but before they are placed on people’s devices it demands that the subscriber or user of the device has:

  • been provided with clear and comprehensive information about the cookie; and
  • given their consent (which must meet the strict GDPR standard).

However, there are two exemptions to this rule.  Read on. 

Strictly necessary  

PECR contains two exemptions where consent to set cookies is not required.  These are where the cookie is either:

  • for the sole purpose of transmitting a communication over an electronic network; or
  • strictly necessary for the provision of the service requested by the subscriber or user.

The second exemption is very important but very simple.  Only cookies which are essential to provide the service requested by the user are exempt eg. login cookies or those required to remember what’s in an online shopping basket.  This is interpreted very narrowly and from the point of view of the user. Although an organisation may regard cookies such as analytics cookies as essential to the operation of its website, they are not essential to provide the service to the user.  The service can still be provided without them, therefore they are not ‘strictly necessary’.

All other types of cookies eg. analytics, marketing and advertising cookies, are deemed non-essential cookies and must have GDPR quality consent following the provision of clear and comprehensive information before they are set on a device.  The ICO has a useful tool to help determine whether consent is required for cookies.

At The Privacy Compliance Hub we are passionate about making the GDPR, data protection, privacy (whatever you choose to call it) as simple and engaging as possible.  Here, our very own Privacy Guy introduces the first of our Eight Privacy Promises.

Watch video

Cookie audit  

To check whether consent is required to set cookies and what information to give users if it is, organisations first need to identify and understand what type of cookies they use or are proposing to introduce.  A cookie audit should be undertaken and results and decisions documented. This exercise should be carried out periodically as cookie usage (particularly of third party cookies) is likely to change over time.

How to get valid consent to cookies 

Valid consent to set cookies must be: freely given; specific; informed; and an unambiguous indication of the individual’s wishes.  This means:  

  • implied consent eg. continuing to browse, is not valid.  Nor is setting non-essential cookies by default. Individuals must take positive action to consent ie. opt-in consent;
  • use of pop-ups, banners or splash pages will not result in valid consent if users choose to ignore them and click through to other parts of the website;
  • use of pre-ticked consent boxes or sliders defaulted to ‘on’ is not valid consent;
  • browser settings cannot be relied on for consent as it cannot be assumed that individuals know how to set them to reflect their cookie preferences;
  • blanket cookie walls (pop-ups which deny access into an entire website unless the visitor consents to all cookies) are not allowed as consent would not be not freely given;
  • cookies must not be set on landing pages before individuals consent;
  • consent requests must not be bundled into general terms and conditions; 
  • people must be told they can withdraw consent at any time and how; and
  • users must not be prevented from accessing websites if they don’t consent to non-essential cookies.

Remember, people are more likely to consent to non-essential cookies if they understand what they will be used for and are given full control over the setting of the cookies.  Organisations which use the Privacy Compliance Hub understand how to obtain valid consent.

“We weighed up all the pros and cons, ease of use, quality of service and content. We found the sweet spot with the Privacy Compliance Hub”. Jacob Herandi, Wayhome.

Read more

A culture of continuous privacy compliance

In our view, the very best way to ensure that your business understands its obligations under the GDPR (including ensuring a legal basis such as consent for processing) is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR and other privacy rules. It contains everything that you need.

More to watch and read