New ICO guidance on cookies and how to comply
Cookie law has been around for several years now and we were (or should have been) all aware of it well before the dreaded GDPR (General Data Privacy Regulations) and PECR (Privacy and Electronic Communications Regulations) came in to force too. Most websites have now made their websites compliant, however new guidance published recently by the ICO could mean that businesses who think they are compliant might not be.
You can no longer rely on implied consent for your cookies
GDPR is very clear on the fact that affirmative action is required in order to provide valid consent for the collection of data or information. Just because a user continues to browse your website and ignores your pop-up, banner, statement or policy page does not mean that they have actively given their consent for you to collect their data.
The image below is the cookie notice from the premier league website which although praised for its simplicity after GDPR is not fully compliant according to the recent guidance.
This also applies to pop-ups or banners which assume that consent is accepted just because the user has ignored them. You need a method which obtains consent to the use of non-essential cookies and this must happen before the cookies are loaded on the page.
You also need to keep it relatively simple and seamless for your website visitor so the trick is to strike a balance between making sure the visitor is fully informed about how you use the data but not so much that it discourages them from continuing to use your website. Here is an example of how this can also be easily overcomplicated and too techy for most visitors.
How to make sure your site is still compliant
- If you use third-party cookies such as Facebook Pixels you must specifically name them and their purpose in your policy documents and explain how they and you will use the information that you obtain from them.
- Review the wording used on your pop-ups or banners to ensure that you are being completely clear to your visitors about how and why cookies are used on your site.
- Check that your consent mechanism or pop-up allows users to choose ‘reject’ non-essential cookies. If it doesn’t and you only have an ‘accept’ button then you will need to switch to a different method which does offer the ‘reject’ option or stop using any third-party or non-essential cookies.
- Make sure that non-essential and third-party cookies are not loaded until consent is given. If a user ignores your banner or pop-up then the site should only load the cookies that are essential for your site to function.
- Don’t use any pre-ticked boxes or sliders set to ‘on’ for the acceptance of non-essential cookies.
- Ensure that your website is still available to users who have rejected the non-essential cookies. A cookie wall which restricts access to all or part of the website for users who have not accepted your cookies could also be in breach of the regulations.
Analytics cookies are not classed as ‘strictly necessary’
This means that if you are using Google Analytics or any other third party tool to collect information about your visitors, even if that information is anonymous then you need to ensure that your site is fully compliant according to the most recent guidance from the Information Commissioner.
Let us take away your cookie worries
Compliance services include:
- Cookie analysis to check which cookies are in place on your website and how they are currently used.
- Documentation review and update.
- Change or update to cookie consent mechanism or pop-up banner.