cookies Is your website GDPR compliant

Cookies: Is your website GDPR compliant?[ 9 min read ]

As you know GDPR came into force in May 2018 and everyone had a mad run-around to make their business compliant, including their website. We wrote a blog about it at the time, in fact.

But, we’ve since discovered that we, along with thousands of other businesses, got it wrong and our website wasn’t actually compliant at all, despite having the all important Privacy Policy.

And, here’s why…cookies.

So what the heck are cookies anyway?

When I say cookies most people will associate them with yummy treats but the type of cookies I’m talking about here are the ones that are stored on your computer; essentially, they are little bits of code in a small files stored on your computer via your internet browser. And, when they store identifying information they are classed as ‘personal data’ under GDPR so have to be treated as such.

Cookies have a multitude of uses from keeping track of your shopping basket so when you visit a website again, you can easily buy that new bag you’ve been dreaming of since your last visited, to tracking what pages you visit to provide you with bespoke marketing advertisements (like Facebook Pixel), to provide useful analytical data (i.e. Google analytics and such like).

Used normally, these cookies don’t pose any risk, although some people might not want their every move tracked on the web, of course. But, they can also be a security risk (on very rare occasions) so, it was declared that every website has to advise what cookies they are using and why they are being used.

There’s a few different types of cookies

Session cookies

Like the ones used to store your shopping basket, these are usually only temporary and are often very necessary for the functionality of the website.

Permanent cookies

Usually used to keep your login info when you click ‘keep me logged in’ so you don’t have to login all the time (useful!). These should only last 12 months before expiring.

First party cookies

Set by the website not by any third party – can be used to store anything.

Third party cookies

Set by a third party for example Facebook if the website uses Facebook Pixel or such like.

How do you implement compliant cookie legislation as part of GDPR?

You know those annoying pop ups that make you click ‘accept’ (sometimes even before you’ve looked at the website), well most of those are a start on the road to compliance but aren’t actually totally compliant. However, as you might know, the ICO website isn’t very clear on giving exact instructions and so everyone thought that would be enough.

What the ICO’s ‘In Brief’ Summary says is actually pretty clear

“You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.
There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).
The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.“

But, get further into their website and you get statements like this

“To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.
Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.
You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or used for behavioural tracking. The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy.”

And, continuing on to their PECR guidance on cookies, it gets even more confusing.

What the ICO, and the PECR (Privacy and Electronic Communication Regulations) cookie legislation, actually says is that websites have to notify the visitor that the site uses cookies, explain what the cookies are used for… in plain English, let the user give explicit consent (i.e. not passive like ‘if you continue to use this site you are accepting our cookie policy’) and offer the ability for the visitor to turn off the cookies, if they want to, prior to using the website.

Should you simply turn off all cookies?

Now, everyone who uses the internet has the ability to turn off cookies in their browser, and delete any cookies stored there, easily. If you worried about storing cookies on your machine, have a Google for how to remove cookies from the specific browser you’re using and instructions will pop up. There’s also instructions on how to turn them off but if you do, you’ll find websites don’t really work as you expect.

Is getting visitors to turn off their own cookies within the browser enough to be compliant?

Of course not, to be compliant with GDPR legislation, the visitor has to have the ability to turn off the cookies website by website, cookie by cookie….BEFORE they move around the website as that’s when their data (the cookies) will start to be stored.

And so, most plugins for WordPress don’t offer this function, and even if they do, they’re not exactly simple to set up if you don’t know what you’re doing, and especially if you’ve no idea what cookies you have on your website (although you should if you have a compliant privacy policy).
Hoorah, yet more work for the small business to do.

Should we just stop using cookies?

Yes, ideally, so we don’t have to bother with all this. But that’s not always beneficial to the business…or even the customer/visitor.

  1. They’re essential if you have an e-commerce website, there’d be uproar if a customer added something to the basket and it disappeared if they didn’t immediately checkout.
  2. They help the business improve their services by allowing them to monitoring the analytics and see how their customers use the website.
  3. They help the business get more sales by allowing them to market their product and services more efficiently.

What if your website doesn’t use cookies?

Hoorah! You’re free! But given the above benefits, are you sure you don’t need them? And are you doubly sure you don’t use them already?
But if your website definitely definitely doesn’t use cookies then don’t worry, you’re compliant as long as you specify that in the privacy policy.

Worries about this GDPR implementation

The biggest concern I have about these new cookie notices, apart from some of them being very annoying and intrusive, of course, is that although they’re designed to protect us, how long will it be before they’re hacked and when we absentmindedly click ‘accept’ we end up installing malicious viruses on our computer?
And, how can it all be monitored anyway? The only way you can register and store someone saying they don’t want cookies is to store a cookie*, the irony! (well there are other ways but they’d be costly to set up and store).
*as a side note, these preferences are actually classed as ‘strictly necessary cookies’ and are allowed to be stored as advised by the ICO, but it’s still comical.
How long before we are lost in lawsuits trying to prove someone said they didn’t want the marketing cookie enabled but it was and cookies were stored.

In my very own (and a lot of other people’s) personal opinion, I think it’s all a waste of time and money, which isn’t fairly enforceable. And if you don’t know websites have cookies by now (albeit, you may not have known what they were used for), where have you been for the last [nearly] 10 years since the original EU Directive (prior to GDPR, in 2011) was introduced?

Edit: In addition, speed will also play a part – whether the website speed or the users connection. I’ve experienced one site that loaded the cookie policy last….after I’d been moving around the site freely for a while which is against the policy but again, hard to enforce.

But, nevertheless, it’s best to make sure you’re compliant anyway! And now you know, whilst you’re merrily browsing the internet, you’ll pay a lot more attention to all those annoying pop-ups and banners to see if they’re compliant or not!

Suzi Smart Bear

I'm Suzi - the owner of The Smart Bear.

Skip to content