Set Compliant Cookies – or Face the Penalty
Cookies are clearly the flavour of the month for UK and European data protection enforcers. Supervisory authorities are now turning their attention to non-compliant websites.
UK cookie compliance
In November 2023, the ICO wrote to 53 of the UK’s top 100 websites, instructing them to change their cookie practices or suffer the consequences. Not surprisingly, 38 companies had already complied by the end of January. Others are in the middle of putting things right, and some are working on alternative models (more on that from the ICO next month).
The ICO is now widening its cookie investigations and warning companies to make their cookies compliant. It is investing time, money, and resources to do so. For example, it is developing an AI solution to help find websites with non-compliant cookie banners. The ICO intends to work through websites which target UK users, focusing on cookie compliance by checking cookie usage, and rooting out non-compliant websites.
EU cookie compliance
In early January, Spain issued new cookie guidance. And the Netherlands has also just issued new guidance, and announced that 2024 will see it investigating cookie/cookie banner use and misuse.
Cookie Compliance – Key Tips
So, for those who have adopted questionable cookie practices … it’s probably time to put things right before you find yourselves on the receiving end of enforcement penalties. To help you, here are some key tips for your cookie banners:
1. Personal data
PECR (UK) or e-Privacy Directive (Europe) demands consent before setting cookies. But where cookies process personal data, consent MUST be to GDPR standards – so
-
- Do not use pre-ticked boxes
- Explain the purpose of each cookie so that website visitors can make an informed yes/no decision
- Ideally, put a link to your cookie policy on the banner. Your cookie policy should include the cookies you are setting and explain what they do, how you will use them, how long they will remain on your device, and how users can manage them
2. Pre-set cookies
You may set “strictly necessary” cookies (for example, for website functionality, security, managing shopping baskets, or other requested online services) without consent
3. Analytics, tracking, and advertising cookies
Wait to set cookies until AFTER the user accepts them.
4. Balance
Make it as easy for users to reject cookies as it is to accept them. If it’s one click to accept, it must be one click to reject.
-
- Their choices must be clear and obvious, so words like “accept,” “reject,” and “select” are helpful.
- If you’re not pre-setting cookies before users accept them, technically you don’t need a reject or refusal button. But if you choose not to use one, you must
- make it clear that you have not set any non-essential cookies
- Make it obvious how they move past the banner – for example, you can enable them to close it with a single click; or set it to drop if the user takes no action within a specified (short) time.
5. Cookie walls
If you’re using a cookie wall, it MUST drop whether they accept or reject cookies. You may not make access to your site dependent on a user accepting cookies.
6. Consent withdrawal
Make sure there is always a link to the cookie banner so visitors can withdraw their consent at any time.
If you have any questions or concerns with how you can set compliant cookies, please call 01787 277742 or email dc@datacompliant.co.uk
And please take a look at our services.
Victoria Tuffill – 7th February 2024