If you find the rules around website Cookies and Cookie pop-ups confusing and frustrating, you are definitely not alone. This is a quick run-through of what you need to know if you manage or own a website, with no overly complex technical or legal jargon.
In summary, as a website owner you’re responsible for collecting valid consent for Cookies, where applicable. Essential Cookies don’t need consent to be set, but non-essential Cookies do. To be valid consent it must give your visitors a real choice.
What is a Cookie?
You can think of a Cookie as a sort of tracker; it’s a piece of computer wizardry on a website that knows you’ve visited the website and keeps a record of your IP address (a unique string of numbers that identifies an electronic device on the internet.)
Depending on the type of Cookie, it might also keep a record of the other websites you visit after the first one where you picked up the Cookie, and it can keep a record of your website setting preferences (including, ironically, whether or not you accept Cookies!)
There are two types of Cookies – those that are essential for your website to work properly, and non-essential Cookies. The non-essential Cookies include those that give the website owner/manager analytics data, and let you know which pages on your website are most popular, where your website visitors come from, and so on. Any Cookies that are there to provide targeted advertising to your website visitors are also classed as non-essential.
As the owner or manager of a website, you might feel that analytics and advertising are essential functions, but classing Cookies as essential or non-essential is based on the point of view of the website visitor, not the organisation that runs it. Website visitors can use your website quite happily without you knowing which pages they visit, and without having adverts targeted at them, either on your website or elsewhere on the internet.
What does the law say about Cookies?
This is where it can get even more complicated, so we’ll try and keep it brief. Contrary to popular belief, it’s not the (UK)GDPR that sets out the rules for Cookies – it’s the PECR (Privacy Electronic Communications Regulations). There is a link to the (UK)GDPR though, which we’ll get to in a moment.
Consent for non-essential Cookies: The PEC Regs say that if you want to set non-essential Cookies on your website visitors’ devices, you need to get their consent before the Cookies are set.
Essential Cookies: If you are setting essential Cookies, you don’t need to get consent for them.
Of course, many websites have only essential Cookies; you don’t have to have non-essential Cookies by any means.
The link to the (UK)GDPR comes in here – because the PEC Regs don’t define what standard of consent is required, the definition that applies is the one in the (UK)GDPR. Which means that the consent must be freely-given, it must represent a real choice, and it should involve a positive opt-in. So nothing sneaky such as a message that says “if you keep using this website you consent to all cookies”…? But loads of websites do that, don’t they? Hmm, let’s come back to that.
The other important part the (UK)GDPR plays in the rules about Cookies, is that when you set a Cookie you are processing personal data, as ‘personal data’ is anything that can be used to identify an individual, including IP addresses. So if you want to comply with the law, you need to follow the rules of the (UK)GDPR and in particular make sure the way you handle the data meets the following:
- The processing should be fair, lawful and transparent, meaning you must have a legal basis for the processing, and make sure you tell people about it;
- Use the data only for the purpose you collected it, i.e. the purpose of the Cookies;
- Don’t keep the data forever, only keep it as long as it’s reasonably needed for the purpose;
- Keep the data secure.
What should the Cookie banner say?
The Cookie banner is the (sometimes annoying!) pop-up at the bottom of the website you’re visiting, and sometimes covers the whole page, so you have to click something to make it disappear before you can read the website page you’re actually interested in.
As above, although most websites do have a Cookie banner now, a lot of them do include a pretty dodgy statement along the lines of:
“If you keep using this website you consent to all cookies.”
It should be no surprise that this doesn’t comply with the PECR or the (UK)GDPR. A compliant cookie banner will tell you that non-essential Cookies can be either accepted (i.e. you give consent for them) or rejected and there will be relevant accept or reject buttons right on the banner, or the banner will link to another section that allows you to accept/reject the non-essential Cookies.
Many websites only give the option of accepting non-essential cookies, and the only other option is to follow the instructions in the ‘Cookie Policy’ to disable all Cookies on your own internet browser. Doing this will mean you don’t get essential Cookies either though, and websites you visit might not work properly.
What’s the risk of not complying with the Cookies rules?
If you aren’t giving your website visitors a valid choice, what is the risk?
Strictly speaking, the IC (Information Commissioner), who is responsible for upholding information rights in the UK, can fine an offending website owner up to £500,000 for breaching the PECR with poor Cookies management. However, a quick look at the recent action taken by the IC will show a distinct lack of action taken against website owners regarding Cookies.
There is another risk though. Remember that if you breach the PECR rules about Cookies, you’re also breaching the (UK)GDPR, and individuals have the legal right to receive compensation for damage caused by a breach of the (UK)GDPR. ‘Damage’ in this instance doesn’t only mean financial loss or physical harm; it can also include distress.
The Lloyd Vs Google case, which was heard by the Supreme Court in April 2021 and we’re waiting to hear the judgement from, is about Google setting Cookies on 4 million iPhones, and the damages are being claimed for the loss of control over their personal data. Not even a mention of distress. Even if the eventual outcome means that there does need to be some sort of distress or other harm, proving a lack of distress is a very tricky task! And even if you can defend the case, you have to consider the time and money it will cost you to do so.
I recently became aware of a cyber professional claiming compensation in the high hundreds of pounds range for the distress of having non-essential Cookies set on their device without valid consent. Either paying or defending this claim will likely cost any organisation who receives a claim like this the best part of £1,000.
Investing in updating your Cookies banner and consents will cost less than that, and should fend off any claims of ‘distress’. An updated Cookies banner could improve your website visitors’ browsing experience too; both you and your visitors will be glad to know you don’t have to have a huge pop up covering the whole page, or have it asking for consent every single time you visit a website.
Free Cookies Cheat Sheet
To download a free Cookies cheat sheet that highlights the different requirements for essential and non-essential Cookies, fill in your details below and subscribe to our emails. You can unsubscribe at any time.
Clare draws on over 20 years of experience in risk management and quality assurance, including ten years in data protection, to provide clear and practical advice and training.
Don’t tell everyone (shh!) but Clare’s favourite sector is social housing, and worked in a large housing association for 12 years, although she loves to support all values-led organisations.
If you have any questions about data protection, either about cookies or anything else related to personal data, book a free call!