Cookie consent and privacy data laws have become tighter in the last year. What was deemed acceptable last year, is far from best practice now. With more businesses coming under the spotlight for non-compliance, getting it right now is an important step for your business. In this post, we’ll detail key information around what’s expected of your site, as well as considerations for your next steps in compliance. The sooner you can start scrutinising your approach to cookie consent, the better!
What does cookie consent mean for your users?
Think of your cookie banner as a consent popup; a place where users can give or deny their consent to being tracked and/or personal information being stored. This personal information may allow a website to identify a user, which is where the GDPR comes in. For example, if you say ‘Yes’ to cookies, you may have agreed to your on-site behaviour and information being linked to your identity and stored. It’s for this reason that cookie consent and GDPR often go hand in hand, and why people generally use the two interchangeably. But as you now know, even though they’re linked, they aren’t the same thing. If, however, the information stored is anonymous and doesn’t identify a user, it will still require a consent banner as it’ll be working within the realms of the PECR (Privacy and Electronic Communications Regulations), rather than the GDPR.
Whilst this might seem like a lot of legislation, it’s important to remember why it all exists in the first place: to allow users to take control of their digital movements, data and information.
What’s changed around cookies and consent?
Pre-Brexit, the UK was subject to the EU GDPR (data protection for personal information), ePrivacy Directive (cookie consent) and the UK’s Data Protection Act (2018). These three components worked in conjunction to allow users to take control of how their digital data, behaviour and preferences were tracked and stored.
On 31st January 2021 (post-Brexit), GDPR was no longer strictly applicable. Now businesses who deal with UK-based information and tracking have to adhere to the UK-GDPR. It’s almost “word for word identical to the EU’s GDPR”, according to Cookiebot, apart from a few differences, such as its approach to intelligence, national security and immigration. The Data Protection Act (2018) is still in force, but instead of the EU’s ePrivacy Directive, the UK now adheres to the PECR. But what about if you’re tracking users and/or collecting user data from the EU? Well your site will have to adhere to the EU GDPR too.
What are the main principles you should accommodate for?
The key PECR (cookie consent) principles, which are centred around digital privacy rights and security, are as follows:
tell people the cookies are there;
explain what the cookies are doing and why; and
get the person’s consent to store a cookie on their device. (Source: ICO)
First visit cookies
Firing all cookies as soon as the user lands on your site doesn’t go hand-in-hand with consent, as you’ve technically started tracking your user before they even know it’s happening. Only necessary / functional cookies should be fired when a user first lands on your page. If you’re unsure what counts as strictly necessary, check whether you can still access your site’s functionality and content without it. If yes, then it’s not a functional cookie and will require consent.
Once users consent to cookies they’ll need to renew this consent in twelve months (depending on their location), rather than every time they visit your site. It’s worth consulting a GDPR expert to review how often you’ll need users to give their consent again, as this will be specific to the location of users who visit your site.
In the event that your site is static and doesn’t have any other cookies than ‘strictly necessary’, you’ll still need a banner to show users some cookies are being dropped. However, you won’t need their consent as these cookies are essential to the functioning of your site.
Allow users to easily change their preferences
Once users choose their cookie preferences, they have the right to change them at any time. As quick as the user can give consent, they must be able to take it away. Using an inconspicuous button for this, such as a small cog icon that follows the user around the site, gives them easy-access to their saved preferences.
Users should also be able to opt-in and out of any of individual cookies (excluding necessary cookies). Having the ability to toggle consent for each cookie is important in order to create a robust approach to user’s privacy and data control.
Users must understand what they’re consenting to
This is specifically related to the PECR, as users must understand what they’re consenting to through clear descriptions of what the cookies are and what they do. They must be able to view all trackers, cookies and their purpose in order to make an informed decision about what they’re agreeing to.
Users shouldn’t be forced “into a choice of accepting all or none in return for services”. If you’ve ever visited a site that says you must accept cookies otherwise you can’t view the content, they’re using a cookie wall to force you to accept tracking. Denying a service if a user declines cookies is against GDPR guidelines and can be illegal. In some cases, cookie walls are used to get users to sign up or subscribe to a service, although this approach is widely frowned upon.
Consent must be specific and unambiguous
Users must actively accept cookies being dropped. Simply continuing to use the site isn’t enough, as the user hasn’t explicitly consented to cookies being dropped. Equally, there should be a reject button, so users can actively deny tracking, and no boxes should be pre-ticked.
Make auditing a part of your internal processes
As a side note, consent should be securely stored as legal documentation. For this reason, it’s important to consult a GDPR/PECR expert who understands:
how this information should be stored;
where it should be stored, and;
which approach is best for your business
What can happen if you’re not compliant?
The consequences for non-compliance vary from a formal warning to large fines. The number of prosecutions have been relatively small, but the ones that have gone to court have been costly. Vodafone Spain, for example, was fined €8.15 million after just under 200 complaints were filed against them for various insufficiencies against the GDPR. As startling as this may be, it’s unlikely most businesses will feel the wrath of a non-compliance court case. In reality, businesses could expect to be given a formal warning, but that doesn’t mean you should only do the bare minimum.
Privacy and consent protects your users
It shouldn’t be a struggle for users to keep their data and digital movements safe. If you make it too complicated, your brand could be viewed negatively, giving the impression that your site is untrustworthy. Transparency and fairness is key.
Crafting your consent banner to be as user-friendly as possible, and making sure it’s updated regularly will save you from liability further down the road. To make business’ lives easier, ICO (an independent authority who upholds public information rights) has created a compliance checklist you can use when creating your own internal processes.
If you’d like to read further information from the ICO on the full requirements of compliance, they have a complete guide to the UK GDPR. To stay up to date with developments on data protection and privacy laws, ICO also has a dedicated web page of updates.
NB: As data protection and privacy laws regularly change, this information may be out of date at the time of reading. This post is purely for information purposes, and not aimed to act as legal advice. If you’re unsure of whether your website is compliant, please consult a data protection professional for industry-related advice.