Are your website cookies compliant?

20th June 2023

A cookie is a small file of letters and numbers that is downloaded on to a computer or mobile device when a user visits a website or a mobile app. The rules on cookies are covered by the Privacy and Electronic Communications Regulations 2003 (PECR) which state that organisations who use cookies must obtain consent to store cookies on users’ devices.

The UK General Data Protection Regulation (UK GDPR) states that, where cookies can identify an individual, they are considered to be personal data subject to the UK GDPR. Therefore, the consent that is obtained must be to standard applied by the UK GDPR which means it must be “freely given, specific, informed and unambiguous individual of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The consent mechanism used must give users full control over all the cookies the website sets, including any third-party cookies. Cookie banners, pop-ups, message bars or similar techniques are a popular and easy way to achieve compliance, but these cannot be unnecessarily disruptive. For example, a message box designed for display on a desktop wouldn’t affect the customers experience but the message box on a mobile app could be hard to read or interact with so the consent would be invalid.

Pre-ticked boxes or pre-approved slider boxes are inappropriate as there is no affirmative action being given by the user. Cookie walls that require users to accept the setting of cookies before they can access any of the content is also inappropriate in most circumstances as the user has no genuine choice but to agree to the cookies.

The different types of cookies are:

Strictly necessary – these are required for the operation of the website/app. Examples include cookies to allow individuals to log in to certain areas of the website or use a shopping cart. Cookies that are strictly necessary do not require consent, but that cookie must be essential and what is essential will be different depending on the type of website or app.

Analytical or performance cookies – these can record the number of users that visit the website and what they do on the website. They are not essential so consent must be obtained.

Functionality cookies – these recognise users when they return to a certain website so that website can be tailored to them, e.g., by remembering their language preferences or what was in their shopping cart. They are not essential and so consent must be obtained.

Targeting cookies – these record users visit to the website and what they pages/links they visit so they receive targeting advertisements. They are not essential and so consent must be obtained.

PECR also states that organisations who use cookies must give clear and comprehensive information about the cookies. This information has to be as user friendly as possible and cover the cookies that will be used, the purposes for which they are used, any third parties who may also process information stored in or accessed from the user’s device and the duration of any cookies.

In a previous article, we talked about the new Data Protection and Digital Information Bill which could overhaul the current regime on the use of cookies. The Bill proposes to extend the types of cookies which can be placed on users’ devices without consent, which would make compliance easier for organisations. The Bill also proposes to increase the fines organisations could face for breached of PECR, bringing it in line with the UK GDPR. We don’t know what will happen to cookie laws in the future but we do know it’s important you get it right, right now.

If your business needs advice on data protection and compliance, to avoid any potential risks, get in touch with Sophie Brazier in our commercial team at SophieBrazier@schofieldsweeney.co.uk.

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality