A quick guide for small business owners
I have noticed a real increase in the number of websites that have a banner asking me to accept cookies in order to use the site. I thought it would be worth outlining just what the requirements are regarding cookies on websites and being compliant with GDPR.
So first things first and just to be clear what are ‘cookies’?
Cookies are small pieces of code which online services provide when users visit them. Software on the user’s device (for example a web browser) can store cookies and use them to store and send information back to the website for example remembering what’s in a shopping basket, logging into a website, analysing traffic to a website; or tracking users’ browsing behaviour.
Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.
Cookies and Consent
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
What counts as consent?
What do I need to do to comply?
The three basic rules are that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website.
Essential vs Non-Essential Cookies
You need to get consent for all non-essential cookies on your website however cookies considered to be essential cookies are exempt from this rule. But what is considered essential and non-essential? It would appear that what the ICO consider to be non-essential is probably what you as a website owner will definitely want to have. Here’s a snapshot of which cookies need consent
|Cookie is used for:||Consent or Not?|
|User input e.g. a shopping basket or completing a form||Consent not required|
|Authentication purposes – e.g. ensure security for online banking||Consent not required|
|Security e.g. cookies used to detect repeated failed login attempts||Consent is not required|
|Streaming content – providing online content forms part of the service that the user has requested||Consent is not required|
|User preference – session cookies used to store a user’s preference||Consent not required|
|Social media tracking and plugins e.g online advertising, behavioural monitoring, analytics, or market research||Consent is required|
|Online advertising – includes all third-party cookies used in online advertising, market research, product improvement and any other purpose.||Consent is required|
|Analytics – provide information about how visitors engage with your service.||Consent is required Considered non-essential even though data is anonymous|
As you can see from the list getting away without getting consent is just not feasible if you want to comply with the law and operate a website that is useful to your business.
Here’s what to do to be compliant
1.Understand what cookies are operating on your website
For WordPress sites there are lots of plugins available to do this. Some have been linked to security breaches to make sure that the one you choose is well supported and up to date with the latest version of WordPress. This is the one I have been using GDPR Cookie Compliance
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.