Cookies are clearly the flavour of the month for UK and European data protection enforcers. Supervisory authorities are now turning their attention to non-compliant websites.
In November 2023, the ICO wrote to 53 of the UK’s top 100 websites, instructing them to change their cookie practices or suffer the consequences. Not surprisingly, 38 companies had already complied by the end of January. Others are in the middle of putting things right, and some are working on alternative models (more on that from the ICO next month).
The ICO is now widening its cookie investigations and warning companies to make their cookies compliant. It is investing time, money, and resources to do so. For example, it is developing an AI solution to help find websites with non-compliant cookie banners. The ICO intends to work through websites which target UK users, focusing on cookie compliance by checking cookie usage, and rooting out non-compliant websites.
In early January, Spain issued new cookie guidance. And the Netherlands has also just issued new guidance, and announced that 2024 will see it investigating cookie/cookie banner use and misuse.
So, for those who have adopted questionable cookie practices … it’s probably time to put things right before you find yourselves on the receiving end of enforcement penalties. To help you, here are some key tips for your cookie banners:
1. Personal data
PECR (UK) or e-Privacy Directive (Europe) demands consent before setting cookies. But where cookies process personal data, consent MUST be to GDPR standards – so
2. Pre-set cookies
You may set “strictly necessary” cookies (for example, for website functionality, security, managing shopping baskets, or other requested online services) without consent
3. Analytics, tracking, and advertising cookies
Wait to set cookies until AFTER the user accepts them.
4. Balance
Make it as easy for users to reject cookies as it is to accept them. If it’s one click to accept, it must be one click to reject.
5. Cookie walls
If you’re using a cookie wall, it MUST drop whether they accept or reject cookies. You may not make access to your site dependent on a user accepting cookies.
6. Consent withdrawal
Make sure there is always a link to the cookie banner so visitors can withdraw their consent at any time.
If you have any questions or concerns with how you can set compliant cookies, please call 01787 277742 or email dc@datacompliant.co.uk
And please take a look at our services.
Victoria Tuffill – 7th February 2024
Data Compliant International
International data protection consultants and DPOs.
22 Friars Street, Sudbury, Suffolk, CO10 2AA
Email: dc@datacompliant.co.uk
Tel No.: +44 (0) 1787 277 742
We need your consent to load the translations
We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.