You are contacting
26 June 2020
What are cookies?
Cookies are small text files made up of letters and numbers, and which are downloaded onto the devices of visitors to a website. They enable the website to remember information regarding those visitors’ activities on the site (such as remembering the contents of shopping baskets or identifying a visitor who has navigated to the site previously). They are also commonly used to target advertising at website visitors depending on browsing history or other preferences.
What are the latest requirements?
The law on cookies as it stands currently derives from 2011 amendments to the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR). Under the PECR, operators of websites that set cookies on users’ devices must inform users of the presence of those cookies and explain what those cookies do and why. This is usually set out in a website’s cookie notice.
The PECR additionally require that websites only set cookies on visitors’ devices in one of two circumstances:
In practice, this means that many cookies commonly set by websites, such as analytics cookies, social media plug-ins, adtech cookies, and cookies tracking interactions with marketing emails that link to webpages will need to be consented to before they can be set. It also means that, once consent to those cookies has been obtained, website visitors must be able at any time to withdraw that consent as easily as they gave it.
What this means your website cannot do
The above means that pre-ticked boxes or equivalent devices (such as sliders defaulted to ‘on’) must not be used for cookies that are not strictly necessary, and that visitors must have control over any such non-essential cookies. Non-essential cookies cannot be automatically set on landing pages before consent has been obtained from the website visitor. Despite the ICO’s guidance, many websites remain non-compliant with this requirement and continue to set analytics cookies without having first explained what these are in a clear way and having provided an opportunity for visitors to consent to them.
Some websites have attempted to address this by implementing cookie banners that state that consent is impliedly given if visitors continue to browse the website. This is unlikely to represent valid consent under the new GDPR standard. Cookie walls that block users from accessing the site entirely before they consent to cookies are also problematic, since it is difficult to demonstrate that consent has been freely given and is specific to certain cookies.
It should also be noted that the ICO is not sympathetic to ‘nudging’ techniques designed to spur visitors into selecting particular options for cookies (for example, by making an ‘Accept all cookies’ button much bigger or brighter than a button that allows visitors to reject certain cookies or manage their cookie preferences).
Ensuring cookie compliance
If your website doesn’t meet the requirements described above, now is the time to undertake an audit of the cookies it uses. Not only will this allow you to verify whether there are any cookies not covered by your existing cookies notice, but you will also then be in a position to determine which are strictly necessary for your website’s operation and which are non-essential and require visitors’ consent. Mechanisms can then be put in place to obtain this consent in a fair and transparent manner. Our data privacy team can advise on solutions to implementing these mechanisms, as well as reviewing and redrafting cookie notices.
26 June 2020
You are contacting