Cookies – the aptly named ‘bite sized’ text files which reside in a user’s device can be helpful tools for both businesses and web users. Whether it’s to remember what’s in a shopping basket when shopping for goods online, supporting users to log into a website or analysing traffic to a website, cookies can provide a customised user experience, valuable business insights and overall, a competitive advantage for your business. However, while cookie technology continues to grow, so too do the concerns on its potential threat to privacy particularly when users aren’t made explicitly aware of whether a website uses cookies, and if so, for what purpose.

The UK’s Information Commissioner’s Office (ICO) has responded to these growing concerns and released its latest guidance (the Guidance) on the use of cookies and similar technologies, which includes tracking pixels (otherwise known as web beacons). The Guidance applies if your organisation targets EU consumers and has an obligation to comply with the GDPR.

Being Clear and Comprehensive when using Cookies

In the interests of transparency and accountability your organisation must inform its users of the following:

  • The cookies you intend to use; and
  • The purposes for which you intend to use then.

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), this means that your organisation must provide ‘clear and comprehensive’ information about its use of cookies. While there is no exhaustive definition of ‘clear and comprehensive’, the baseline rule is that you must provide the information in a manner that is clear and easy to understand. This means that if your organisation uses multiple types of files, it may want to consider re-modelling its existing cookies notice to include a comprehensive list of the different types of cookies used and a description of how they are used.

Cookies and Consent

Not only must the user be clearly informed as to what cookies are used on your business’ website and how they are used, but users must also provide their active and informed consent to the use of both essential and non-essential cookies as required under Regulation 6 of the PECR. In practice, this means that consent cannot be demonstrated if your website only has information about cookies as part of its privacy policy or in its terms and conditions. Rather, the user must take some of unambiguous positive action to demonstrate consent. This could include ticking a box or clicking a link in a consent pop up. As per the ICO’s Guidance, however you decide to inform your users as to your use of cookies, it is critical that you are confident that your users are clearly informed that their actions will result in specific cookies being set. It’s also important that users have the means to enable or disable non-essential cookies, and you should make this easy to do.

If your website is set up in such a way that takes a ‘take it or leave it approach’ which requires users to agree or accept the cookies before they can access online content, this will likely be considered in breach of Recital 43 of the GDPR which requires consent to be freely given.

Tracking Technology used on Third Party Websites

The ICO recognises that all parties have a part to play in ensuring privacy compliance. If your website allows third parties to set cookies on a user’s device, such as through an advertising network or a streaming video service, both you and the third party jointly share the responsibility for ensuring that users are aware about the use of these files and that they provide the requisite consent. To ensure compliance, your third-party agreements should have appropriate contractual obligations in place which reflect the ICO’s Guidance.

Conclusion

It’s important that you think about how your business informs its users about cookies, particularly if you are subject to the GDPR. Even if your organisation is not subject to the GDPR, as a matter of best practice you should nevertheless consider disclosing your use of cookies beyond your website’s privacy policy. Privacy and data protection compliance should be designed into systems and services right from the beginning of a user’s experience on an online platform and they should know exactly what cookies are being used and for what purpose.

Sainty Law can help you review and redesign your approach to privacy and data protection. Contact us for an obligation free discussion on how we can help your organisation.