Fladgate’s quick guide to the law on website cookies

31 October 2019

1. What are cookies and what this note covers

1.1 Cookies are small files which a website can, through an internet browser, leave on a user’s device, and to then be used to extract information about the user or their system.

1.2 In many cases, cookies are simply tools to let the website do its job – for example remembering a shopping basket, or remembering user preferences.

1.3 But other cookies are less functional, and will for example be designed to tailor advertising on the site, other sites, or the user’s social media. Cookies can be ‘first party’ (set by the website owner) or ‘third party’ (set by other parties, e.g. advertising providers).

1.4 The GDPR and PECR rules cover cookies, but also similar technologies, such as device fingerprinting, scripts, tracking pixels and plugins. We will refer to them all as ‘cookies’ in this note, for the sake of brevity.

2. Why existing cookie notices/policies might no longer comply

Primarily because what the law says is (and is not) valid consent to cookies has changed. In addition the Information Commissioner’s Office (ICO) has changed its guidance on cookies.

3. What does the law now say?

3.1 It says that websites cannot use cookies unless:

3.1.1 the user has been given ‘clear and comprehensive’ information about the purposes of the cookies;
and

3.1.2 the user has given their consent to the cookies (even if no personal data is collected).

3.2 The exceptions to these requirements are for cookies which are ‘essential’, i.e.:

3.2.1 if the cookies are for the purpose of carrying out electronic communication; or

3.2.2 if the cookies are ‘strictly necessary’ for the provision of an e-commerce service to the user.

The best example of 3.2.2 is the basket cookie used for online retail.

3.3 We will look at each of these in a bit more detail below. The good news is that once you have complied, you do not need to repeat the exercise with repeat visitors, unless your cookies, or policies about them, change.

4. ‘Clear and comprehensive Information’

4.1 The ICO says the obligation to provide information means you have to set out:

4.1.1 what cookies will be set;

4.1.2 what the cookies will do and what the information is used for; and

4.1.3 how long they will last

and that this information needs to be set out in as user-friendly a way as possible. This means avoiding legalese or anything over-technical. The ICO recognises that it may be sensible to provide a broad description for a category of cookies, rather than a huge list with a very small, technical description.

4.2 You should specify if you are using third party cookies and identify the third parties involved.

4.3 Because of the rules about consent (see below), the information needs to be separate from other material – it cannot be buried in website terms.

5. Consent

5.1 The big change is that consent must now meet GDPR standards . That means that it must be:

5.1.1 unambiguous;

5.1.2 a positive affirmation;

5.1.3 freely given;

5.1.4 specific; and

5.1.5 informed.

5.2 If you have not provided sufficient information (as set out above), then you will not have got effective consent to set the cookie, because it will not be ‘informed’.

5.3 The consent rules trigger some practical implications for non-essential cookies:

5.3.1 Your site cannot place non-essential cookies as soon as a visitor lands (anywhere in your site). The cookies can only be released if/once visitors consent.

5.3.2 You cannot imply consent by the user continuing to access the site, nor simply because their browser permits cookies.

5.3.3 You must have a notice on the site that requires users to consent, and you cannot pre-check the consent box.

5.3.4 You must allow users to easily decline non-essential cookies, and this means that you must include a tool for this purpose (not simply point the user to their browser settings) which gives the user the genuine choice of which cookies they allow and which they do not.

5.3.5 You cannot effectively deny the user access the site if they decline non-essential cookies. If you want to make specific content available only to users who have accepted cookies, then this needs to be justified.

6. Essential cookies

6.1 Although the exception for essential cookies applies to both the information and consent requirements, it is regarded as good practice to still provide users with information about essential cookies, even if they are not given the option to decline them.

6.2 The test for what is ‘essential’ is narrow: the cookie must be ‘strictly necessary’ for provision of the service. Not nice to have or useful; if the service can be provided without, then the cookie is not essential.

7. What next?

7.1 The law may change – the EU is discussing proposals, but in the UK these may not apply post-Brexit and, in any event, there is likely to be a 2 year implementation period.

7.2 So, discuss this note with your website providers (internal or external), make sure you know what cookies are being used on your site, and make sure you comply with the rules summarised above.

 

October 2019

 

i The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)

ii ICO Guidance https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/

iii The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (S.I. 2011/1208)