Website Cookie Consent – why it matters

Why cookies matter

You’ve probably noticed a growing number of websites using a cookie consent platform designed to capture user consent for certain cookies. Such platforms also inform visitors of the cookies and similar tracking technologies used by the website in order to make it clear what a user would be giving consent for before these are activated. While some cookies are deemed to be strictly necessary and do not require consent, if your website uses non-essential cookies and you are not asking consent before they are dropped on users’ devices, then you are operating your website illegally.

This article gives a brief overview of the legislation surrounding website cookie consent, explains how you collect user consent and covers the different types of cookies. We’ve also included some helpful links for further information.

What is the associated legislation?

The law around cookies (and similar technologies) is found in the Privacy and Electronic Communications Regulations (PECR) 2003, which itself is based on an EU directive from 2002. Unlike the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, which are largely based on principles, the PECR is rule based – this means not much is open to interpretation. Significantly, although the PECR has not changed much over time, the threshold for consent to be valid is now much higher, thanks to the GDPR. This is the bit that is catching out a lot of business owners that operate websites.

What are the different purposes of cookies?

In general, cookies are categorised as either strictly necessary or non-essential. The latter category could include cookies that are functional, performance related, analytical or targeting (marketing). Only those that you consider to be strictly necessary (those required for the operation of your website) don’t need prior consent. For instance, cookies on an e-commerce website that are used to remember what’s in a shopping basket, are deemed to be strictly necessary.

Non-essential cookies are those used for purposes that are not directly involved in the delivery of the website. You might consider them essential to track customer behaviour, but unless they are actually necessary to make the website work in accordance with its purpose, then they are deemed non-essential.

Some cookies are used just for a single session whereas others are persistent and may hang around for days, weeks or years. This may mean that the level of risk or exposure will vary but your legal responsibilities do not change.  

What is needed?

Every website that is running non-essential cookies needs to have some mechanism that allows users to give consent for their use before they are dropped onto the user’s device. For the purpose of this article, I shall refer to this as a Cookie Consent Management Platform (CMP).

The cookie CMP should provide a permanent link to a ‘settings’ area where cookies can be activated or turned off if they had previously been set. Incidentally, if the options to run cookies are set to ‘active’ or ‘on’ when a user first arrives at your website, then the website is operating unlawfully. The reason is that one of the conditions for consent to be valid involves the user making an affirmative action to opt-in or accept non-essential cookies. It follows that this action must take place before any cookies are dropped.

In addition, there should be a supporting website/ cookie policy that describes the purpose of the cookies with a corresponding list. This is important because you must inform users what it is you are asking them to accept/ activate.

Why the fuss and does it matter?

The answer depends on your risk appetite and you should at least take an informed view. In summer 2019, the ICO updated its own website, issued new cookie guidance and indicated it was taking a greater interest on the misuse of cookies. More recently, the Spanish airline, ‘Vueling’, was fined €30,000 by the Spanish equivalent of the ICO, for not managing the cookies on their company website.

Cookies are just part of the story

Hopefully it is not a surprise to most people that data protection legislation is nothing new; the GDPR is really just an evolution of the DPA 1998. What has changed is the need for business owners to be a lot more transparent and accountable as to how they process personal data. This is the bit that requires original thought.

For anyone hoping that Brexit will make a difference, think again. The GDPR will be absorbed into UK law at the appropriate time, so little will change in the short term.

What we do at Ascentor

We have a cookie policy published on our website and a consent box pops up for first time users. Users can also find the link in the website footer that appears on every page. We explain that we use a variety of tracking technologies and we state why we do it at the outset. Our use of cookies improves the way in which users can view our website, it enhances our understanding of how they use it and may assist us in our marketing activities.

Ascentor privacy policy imageOur policy describes the purpose and the nature of the cookies covering both essential and non-essential ones, and how long they are set for. We also link it to our privacy policy which provides our contact details should anyone have any questions.

In conclusion

You must tell users of your website if you set cookies, and clearly explain what the cookies do and why. Some cookies are deemed strictly necessary and don’t need prior consent, but all other (non-essential) cookies do. You must obtain the user’s consent at the outset and in accordance with the requirements set out in the GDPR.

We believe that knowledge of the data protection legislation, and its application, goes a long way to making your life easier in the long run. In this respect, the cost of preparation and prevention is considerably less than the consequence of dealing with an investigation that could itself, result in a fine, enforcement action and/or possible reputational damage.

If you have any questions or concerns about how you are using cookies, please contact the team at Ascentor (using the box below) for an informal chat. You may also find the guidance on cookies by the Information Commissioner’s Office of help.

With thanks to our guest contributor, Data Protection Consultant, Phil Brown.

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.