How to Be Cookie-Compliant

The Information Commissioner's Office (ICO) has issued a warning to some of the UK's leading websites, cautioning them about potential enforcement action if they fail to comply with data protection laws. The specific concern revolves around websites that do not provide users with fair choices regarding the tracking of their data for personalised advertising. 

The ICO emphasises the importance of making it as effortless for users to "Reject All" advertising cookies as it is to "Accept All." While websites are still permitted to display ads even if users reject all tracking, these ads must not be tailored to the individual browsing. 

The ICO has written to companies operating many of the UK's most visited websites, outlining their concerns and granting a 30-day period for the necessary adjustments to ensure compliance with the law. 

Cookies play a vital role in enhancing online experiences, but their usage comes with responsibilities, particularly in the context of data protection laws.

What are Cookies?

Cookies are small pieces of information that online services store on users' devices, facilitating various functions such as remembering shopping cart contents, supporting user logins, analysing website traffic, and tracking browsing behaviour.

PECR Requirements

Privacy and Electronic Communications Regulations (PECR) does not explicitly mention cookies but sets out rules in Regulation 6, stating that storing or gaining access to information on a user's device requires clear and comprehensive information and the user's consent. To be compliant, websites must:

• Clearly state the cookies to be set.

• Explain the intended purposes of these cookies.

• Obtain user consent for storing cookies.

The term 'clear and comprehensive information' is not explicitly defined in PECR, but it aligns with the transparency requirements of the UK General Data Protection Regulation (UK GDPR). This means providing users with information about the types of cookies, their purposes, any third-party involvement, and the duration of the cookies.

Cookie Consent and UK GDPR

While the UK General Data Protection Regulation (GDPR) requires a lawful basis for processing personal data, PECR requirements for cookie consent are distinct. If consent is necessary under PECR, relying on alternative lawful bases from the UK GDPR is not permissible. Consent for cookies should be obtained separately from other matters, ensuring transparency and a clear opt-in mechanism.

Some cookies may be exempt from PECR regulations, freeing them from the need for user consent. However, if consent is required, it must meet the UK GDPR standard and be separate from terms and conditions or privacy notices.

Cookie Compliance

By proactively addressing these aspects, websites can enhance user trust, comply with legal requirements, and contribute to a safer online environment. 

1. Communication

It's essential to be transparent with your users about how your website utilises cookies. This involves prominently displaying a clear and easily understandable cookie notice on your website. The notice should succinctly explain the types of cookies used, their purposes, and any third-party involvement. Make sure this information is easily accessible, perhaps in a dedicated section of your website, and is not buried within lengthy terms and conditions.

2. Information

Beyond clarity, providing detailed information in a user-friendly manner enhances transparency and helps users make informed decisions. Consider offering a comprehensive but concise cookie policy page that users can easily access. This page should elaborate on the specific types of cookies, their functions, and the duration of their storage. Use plain language that is accessible to a diverse audience, avoiding jargon that may confuse users.

3. Consent

To comply with data protection regulations, it's crucial to obtain explicit and affirmative consent from users before setting cookies on their devices. Implement a user-friendly opt-in mechanism that requires a positive action, such as clicking an "Accept" button. Avoid pre-ticked boxes, as they don't constitute valid consent. Additionally, offer users the option to manage cookie preferences, allowing them to opt-out or choose specific categories of cookies.

4. Review

Keep on top of changes in data protection laws and adjust your practices accordingly. If there are modifications to the types of cookies you use or how they are processed, ensure your cookie policies are promptly updated. This ongoing review process demonstrates a commitment to compliance and helps maintain user trust.

What About Terms and Conditions?

Attempting to obtain cookie consent through terms and conditions is not permissible under data protection regulations. The Information Commissioner's Office (ICO) makes it clear that consent must be a distinct and separate process, independent of other legal documents such as terms and conditions or privacy notices. 

The essential principle is transparency. Users should be fully informed about the use of cookies and explicitly agree to it through a specific and positive opt-in action. By ensuring a separate and dedicated approach to obtaining consent, businesses uphold the standards set by the Privacy and Electronic Communications Regulations (PECR) and the UK General Data Protection Regulation (UK GDPR).

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.