In recent years cookies have become something that we’re all more aware of. Lots of websites present users with cookie information as soon as they load the website. In this post we talk about the types of web cookies, what to do and what not to do when you set up a cookie banner on your site. You may have seen Cookies make the news recently when Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport, hinted at plans for the future of cookies.
Love it or hate it, website owners need to follow certain rules regarding cookies to ensure users are well informed. If they don’t, they could face formal action from the regulator, the Information Commissioner’s Office (ICO) in the UK. Facing formal action is not an empty threat. Recent fines both Google and Amazon have received from the French Data Protection Authority, the CNIL, prove this.
Let’s begin by discussing what a cookie is. When a user goes onto a website, a small text file is downloaded onto their device (known as the ‘terminal equipment’), this is a cookie. Cookies can do various things. They can recognise the device a user is on, analyse website traffic, track browsing behaviour and remember what a user put in their basket.
There are a few different types of cookies, which are known as session, persistent and first or third party.
Session and Persistent Cookies
Whether a cookie is known as a ‘session cookie’ or a ‘persistent cookie’ depends on when they expire. If a cookie expires once the user finishes their browser session, this is a ‘session cookie’. If it continues after a browser has been closed, this is known as a ‘persistent cookie’ as it will stay on the users device after they leave the website.
First and Third Party Cookies
A cookie can also be ‘first-party’ or ‘third-party’. A first-party cookie refers to a cookie set by the website which the user is on, whereas a third-party cookie is set by another website. Third-party cookies could include adverts and images from an external site.
Website owners need to understand what the law requires of them regarding cookies. The main applicable law in this area is the Privacy and Electronic Communications Regulations, which is known as PECR. PECR requires that website owners must state what cookies there are and what they do. They must also gain the user’s consent to store cookies on their device.
As with lots of laws, it’s not completely black and white, there are exemptions when consent is not required. One of these is the ‘communication’ exemption. This is where the cookies are necessary for the transmission of a communication. The other exemption is the ‘strictly necessary’ exemption which allows the website owner to not gain consent when the cookies are essential to what the user has requested. An example of this is when a user adds items to their online shopping basket.
Although the law may seem quite straight forward, putting it into practice can be difficult, not all website owners get it right. Here are a few things to avoid:
1) A pop-up banner or message which is designed for desktop and is difficult for a user on a mobile advice to access.
2) A cookie wall which doesn’t allow access without consenting to the cookies. This consent would not be freely given.
3) Any requests for consent where the ‘accept’ button is more prominent than the ‘reject’ button, or the cookies can only be rejected by clicking on a ‘more information’ button.
4) Automatically administering cookies to the user’s device before they have had the opportunity to provide consent.
If a user can see that a website owner is taking their legal responsibilities seriously and giving the user a real choice about cookies that are stored on their device, this enhances trust and confidence in the website, as well as avoiding formal action from the regulator, which can be as serious as monetary penalties.
Data Protection Advisor