As you know GDPR came into force in May 2018 and everyone had a mad run-around to make their business compliant, including their website. We wrote a blog about it at the time, in fact.
And, here’s why…cookies.
So what the heck are cookies anyway?
When I say cookies most people will associate them with yummy treats but the type of cookies I’m talking about here are the ones that are stored on your computer; essentially, they are little bits of code in a small files stored on your computer via your internet browser. And, when they store identifying information they are classed as ‘personal data’ under GDPR so have to be treated as such.
Cookies have a multitude of uses from keeping track of your shopping basket so when you visit a website again, you can easily buy that new bag you’ve been dreaming of since your last visited, to tracking what pages you visit to provide you with bespoke marketing advertisements (like Facebook Pixel), to provide useful analytical data (i.e. Google analytics and such like).
Used normally, these cookies don’t pose any risk, although some people might not want their every move tracked on the web, of course. But, they can also be a security risk (on very rare occasions) so, it was declared that every website has to advise what cookies they are using and why they are being used.
There’s a few different types of cookies
Like the ones used to store your shopping basket, these are usually only temporary and are often very necessary for the functionality of the website.
Usually used to keep your login info when you click ‘keep me logged in’ so you don’t have to login all the time (useful!). These should only last 12 months before expiring.
First party cookies
Set by the website not by any third party – can be used to store anything.
Third party cookies
Set by a third party for example Facebook if the website uses Facebook Pixel or such like.
How do you implement compliant cookie legislation as part of GDPR?
You know those annoying pop ups that make you click ‘accept’ (sometimes even before you’ve looked at the website), well most of those are a start on the road to compliance but aren’t actually totally compliant. However, as you might know, the ICO website isn’t very clear on giving exact instructions and so everyone thought that would be enough.
What the ICO’s ‘In Brief’ Summary says is actually pretty clear
“You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.
There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).
The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.“
But, get further into their website and you get statements like this
Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.
You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or used for behavioural tracking. The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy.”
And, continuing on to their PECR guidance on cookies, it gets even more confusing.
Should you simply turn off all cookies?
Now, everyone who uses the internet has the ability to turn off cookies in their browser, and delete any cookies stored there, easily. If you worried about storing cookies on your machine, have a Google for how to remove cookies from the specific browser you’re using and instructions will pop up. There’s also instructions on how to turn them off but if you do, you’ll find websites don’t really work as you expect.
Is getting visitors to turn off their own cookies within the browser enough to be compliant?
Of course not, to be compliant with GDPR legislation, the visitor has to have the ability to turn off the cookies website by website, cookie by cookie….BEFORE they move around the website as that’s when their data (the cookies) will start to be stored.
Hoorah, yet more work for the small business to do.
Should we just stop using cookies?
Yes, ideally, so we don’t have to bother with all this. But that’s not always beneficial to the business…or even the customer/visitor.
- They’re essential if you have an e-commerce website, there’d be uproar if a customer added something to the basket and it disappeared if they didn’t immediately checkout.
- They help the business improve their services by allowing them to monitoring the analytics and see how their customers use the website.
- They help the business get more sales by allowing them to market their product and services more efficiently.
Hoorah! You’re free! But given the above benefits, are you sure you don’t need them? And are you doubly sure you don’t use them already?
Worries about this GDPR implementation
The biggest concern I have about these new cookie notices, apart from some of them being very annoying and intrusive, of course, is that although they’re designed to protect us, how long will it be before they’re hacked and when we absentmindedly click ‘accept’ we end up installing malicious viruses on our computer?
And, how can it all be monitored anyway? The only way you can register and store someone saying they don’t want cookies is to store a cookie*, the irony! (well there are other ways but they’d be costly to set up and store).
*as a side note, these preferences are actually classed as ‘strictly necessary cookies’ and are allowed to be stored as advised by the ICO, but it’s still comical.
How long before we are lost in lawsuits trying to prove someone said they didn’t want the marketing cookie enabled but it was and cookies were stored.
In my very own (and a lot of other people’s) personal opinion, I think it’s all a waste of time and money, which isn’t fairly enforceable. And if you don’t know websites have cookies by now (albeit, you may not have known what they were used for), where have you been for the last [nearly] 10 years since the original EU Directive (prior to GDPR, in 2011) was introduced?
But, nevertheless, it’s best to make sure you’re compliant anyway! And now you know, whilst you’re merrily browsing the internet, you’ll pay a lot more attention to all those annoying pop-ups and banners to see if they’re compliant or not!