The UK General Data Protection Regulation (UK GDPR) states that, where cookies can identify an individual, they are considered to be personal data subject to the UK GDPR. Therefore, the consent that is obtained must be to standard applied by the UK GDPR which means it must be “freely given, specific, informed and unambiguous individual of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The consent mechanism used must give users full control over all the cookies the website sets, including any third-party cookies. Cookie banners, pop-ups, message bars or similar techniques are a popular and easy way to achieve compliance, but these cannot be unnecessarily disruptive. For example, a message box designed for display on a desktop wouldn’t affect the customers experience but the message box on a mobile app could be hard to read or interact with so the consent would be invalid.
Pre-ticked boxes or pre-approved slider boxes are inappropriate as there is no affirmative action being given by the user. Cookie walls that require users to accept the setting of cookies before they can access any of the content is also inappropriate in most circumstances as the user has no genuine choice but to agree to the cookies.
The different types of cookies are:
Strictly necessary – these are required for the operation of the website/app. Examples include cookies to allow individuals to log in to certain areas of the website or use a shopping cart. Cookies that are strictly necessary do not require consent, but that cookie must be essential and what is essential will be different depending on the type of website or app.
Analytical or performance cookies – these can record the number of users that visit the website and what they do on the website. They are not essential so consent must be obtained.
Functionality cookies – these recognise users when they return to a certain website so that website can be tailored to them, e.g., by remembering their language preferences or what was in their shopping cart. They are not essential and so consent must be obtained.
Targeting cookies – these record users visit to the website and what they pages/links they visit so they receive targeting advertisements. They are not essential and so consent must be obtained.
If your business needs advice on data protection and compliance, to avoid any potential risks, get in touch with Sophie Brazier in our commercial team at SophieBrazier@schofieldsweeney.co.uk.