A quick guide for small business owners

I have noticed a real increase in the number of websites that have a banner asking me to accept cookies in order to use the site. I thought it would be worth outlining just what the requirements are regarding cookies on websites and being compliant with GDPR.

So first things first and just to be clear what are ‘cookies’?

Cookies are small pieces of code which online services provide when users visit them. Software on the user’s device (for example a web browser) can store cookies and use them to store and send information back to the website for example remembering what’s in a shopping basket, logging into a website, analysing traffic to a website; or tracking users’ browsing behaviour.

Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.

Cookies and Consent

While you have always needed the consent of your website visitors to place cookies on their device, it used to be that but in the past the concept of ‘implied consent’ was deemed to be ok. That is by continuing to use the site you are accepting the use of cookies. All good if you are a website owner, a cookie policy somewhere on the site will do the trick.

However the ICO’s position changed in July 2019 on the type of consent that required before you can legitimately use non-essential cookies. The level of consent required for the use of cookies is now the same specific, informed, freely-given consent that is defined within GDPR:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Essentially this means that implied consent is not acceptable anymore, we need to make sure that our users agree to the use of cookies on our websites. We have to implement some form of ‘cookie control mechanism’ which blocks all non-essential cookies unless and until the user expressly says that it’s ok.

What counts as consent?

To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link. So just having information about the cookies you use as part of a privacy policy that is hard to find and maybe difficult to understand is not gaining consent from your users. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.

What do I need to do to comply?

The three basic rules are that you must:

  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.

As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website.

Essential vs Non-Essential Cookies

You need to get consent for all non-essential cookies on your website however cookies considered to be essential cookies are exempt from this rule. But what is considered essential and non-essential? It would appear that what the ICO consider to be non-essential is probably what you as a website owner will definitely want to have. Here’s a snapshot of which cookies need consent

Cookie is used for:  Consent or Not?
User input e.g. a shopping basket or completing a form  Consent not required
Authentication purposes – e.g. ensure security for online bankingConsent not required
Security e.g. cookies used to detect repeated failed login attemptsConsent is not required
Streaming content – providing online content forms part of the service that the user has requested  Consent is not required
User preference – session cookies used to store a user’s preferenceConsent not required
Social media tracking and plugins e.g online advertising, behavioural monitoring, analytics, or market researchConsent is required
Online advertising – includes all third-party cookies used in online advertising, market research, product improvement and any other purpose.  Consent is required
Analytics – provide information about how visitors engage with your service.Consent is required Considered non-essential even though data is anonymous

As you can see from the list getting away without getting consent is just not feasible if you want to comply with the law and operate a website that is useful to your business.

Here’s what to do to be compliant

1.Understand what cookies are operating on your website

2. Set up and publish a cookie policy that details clearly what cookies you are using. There are various online options/ templates to help you to do this, where you can add the functions you are using and the document is automatically generated. For example https://www.cookiepolicygenerator.com/

3. Add a banner to your website that allows your visitors to give consent or not and also link it to your privacy and cookie policy.

For WordPress sites there are lots of plugins available to do this. Some have been linked to security breaches to make sure that the one you choose is well supported and up to date with the latest version of WordPress.  This is the one I have been using GDPR Cookie Compliance

In summary

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.

Further Reading and Sources

https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

GDPR: Cookies, notifications and consent – a 2019 update