New ICO guidance on cookies and how to comply

Cookie law has been around for several years now and we were (or should have been) all aware of it well before the dreaded GDPR (General Data Privacy Regulations) and PECR (Privacy and Electronic Communications Regulations) came in to force too. Most websites have now made their websites compliant, however new guidance published recently by the ICO could mean that businesses who think they are compliant might not be.

For most businesses, complying with the new guidance will be a simple case of a small update to your cookie policy and possibly an amendment to how your cookie notice or consent mechanism works in practice.

You can no longer rely on implied consent for your cookies

GDPR is very clear on the fact that affirmative action is required in order to provide valid consent for the collection of data or information. Just because a user continues to browse your website and ignores your pop-up, banner, statement or policy page does not mean that they have actively given their consent for you to collect their data.

The image below is the cookie notice from the premier league website which although praised for its simplicity after GDPR is not fully compliant according to the recent guidance.

Premier League Cookie Notice

If all you have is a statement in your cookie or privacy notice that states something along the lines of ‘by continuing to use the website you agree to our use of cookies‘, this is no longer acceptable and you will need to implement a method of collecting consent from the visitors to your site rather than just assuming that they consent.

This also applies to pop-ups or banners which assume that consent is accepted just because the user has ignored them. You need a method which obtains consent to the use of non-essential cookies and this must happen before the cookies are loaded on the page.

You also need to keep it relatively simple and seamless for your website visitor so the trick is to strike a balance between making sure the visitor is fully informed about how you use the data but not so much that it discourages them from continuing to use your website.  Here is an example of how this can also be easily overcomplicated and too techy for most visitors.

Image result for over complicated cookie popup

How to make sure your site is still compliant

  1. Update your cookie policy and/or privacy notice to provide detailed information on the essential and non-essential cookies that you are using. 
  2. Make sure your consent mechanism links to your cookie policy or privacy notice and has a clear description of what this is for. For example instead of just having a link that says ‘Cookie Policy’ change the text to something like ‘find out how we use cookies to improve your experience on our website’.
  3. If you use third-party cookies such as Facebook Pixels you must specifically name them and their purpose in your policy documents and explain how they and you will use the information that you obtain from them.
  4. Review the wording used on your pop-ups or banners to ensure that you are being completely clear to your visitors about how and why cookies are used on your site.
  5. Check that your consent mechanism or pop-up allows users to choose ‘reject’ non-essential cookies. If it doesn’t and you only have an ‘accept’ button then you will need to switch to a different method which does offer the ‘reject’ option or stop using any third-party or non-essential cookies.
  6. Make sure that non-essential and third-party cookies are not loaded until consent is given. If a user ignores your banner or pop-up then the site should only load the cookies that are essential for your site to function.
  7. Don’t use any pre-ticked boxes or sliders set to ‘on’ for the acceptance of non-essential cookies.
  8. Ensure that your website is still available to users who have rejected the non-essential cookies. A cookie wall which restricts access to all or part of the website for users who have not accepted your cookies could also be in breach of the regulations.

Analytics cookies are not classed as ‘strictly necessary’

This means that if you are using Google Analytics or any other third party tool to collect information about your visitors, even if that information is anonymous then you need to ensure that your site is fully compliant according to the most recent guidance from the Information Commissioner.

Let us take away your cookie worries

Following this newly updated guidance, we are aware that most small businesses including many of our customers may need some help with making sense of it all and implementing the correct solutions. Prices will vary depending on the type of site, how you use cookies and what you already have in place but we anticipate that for most, the cost of updating and ensuring compliance will be under £100.

Compliance services include:

  • Cookie analysis to check which cookies are in place on your website and how they are currently used.
  • Documentation review and update.
  • Change or update to cookie consent mechanism or pop-up banner.

Get in touch to find out more or request a quote for any of the services.