Table of Contents
Many online businesses in our technology-savvy world now use cookies on their websites.
For example, several online shops use cookies to remember user items in a shopping basket, track behaviour and customise user experiences. However, when using cookies, strict legal rules apply. One of the key rules to follow is to obtain user consent for using cookies. Most businesses address this by using a pop up ‘cookie banner’. This article will explain the background of the legal requirements and what a website cookie banner is.
What is a Cookie Banner?
A cookie banner is a pop-up that arises when a user goes onto a website. The banner is often referred to as a ‘cookie consent banner’ as it:
- tells the user that the website uses cookies; and
- requests consent from the user to deploy cookies before they can access the website.
A cookie banner often gives a website user the choice to accept or reject cookies on a website.
What is a Cookie?
A cookie is a small text file stored on a user’s device, such as their computer, phone or tablet. Cookies can enable businesses to identify individual users and store certain information about them. Cookies are also often used for targeting and advertising purposes, for example, based on the browser history of a website user.
There are various types of cookies, such as:
- essential or strictly necessary cookies;
- performance or analytical cookies;
- functionality cookies; and
- targeting or advertising cookies.
A website could use cookies for:
- remembering the items in a customer’s cart;
- counting the number of visitors to the website; or
- personalising content targeted at a user.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What is the Law Governing Cookies?
The critical law governing the use of cookies is the Privacy and Electronic Communications Regulations (‘PECR’). The PECR sets out various rules for businesses to follow when using cookies. We explain some of these rules in the table below.
Rule | Explanation |
Notifying Users | Unless an exception applies, you must tell individuals you are using cookies. A cookie policy is a document that provides detailed information about the use of cookies. A cookie policy describes various information about a business’s different types of cookies and how they are used. Often, it allows users to understand how to control and change their preferences around using cookies. |
User Consent | You must obtain a user’s consent to deploy cookies on their device unless the cookies are essential. For example, cookies may be strictly necessary to make a website work. We explore this further below. |
How Can Businesses Lawfully Use Cookie Banners?
There are some points you should consider when using cookie banners.
1. Consent
When you need consent to deploy cookies under PECR, the user’s consent must be clear, freely given, specific, informed, and unambiguous. As a result, it is vital that your cookie consent mechanism is correct and compliant with PECR.
You will need to ensure that you can show that a user has given their specific, informed and ambiguous consent for you to deploy cookies on their device.
You should note that ‘implied’ consent is not compliant with the PECR rules. Users must take an active step to show they consent to the use of cookies.
2. Displaying the Banner
A cookie banner should appear when a user first visits a website, to meet these strict requirements. The banner should deal with the consent requirements under PECR and provide information about the website’s cookie policy detailing the specific cookies the website uses.
Businesses also need to consider how to provide clear and comprehensive information about cookies without confusing or disrupting a user’s experience. In practice, this can be difficult.
What Are the Risks of Using a Cookie Banner?
You should note the risks around using techniques such as cookie banners. For example, suppose a user ignores the cookie banner without indicating their consent to using cookies, and you go ahead and deploy non-essential cookies. In this instance, the user would not have provided consent, and you would be in breach of the PECR rules.
If your business uses non-compliant cookie banners or fails to obtain valid consent for the use of cookies, you will be in breach of the rules under PECR. The Information Commissioner’s Office can impose fines of up to £500,000 for violating the PECR rules.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
If you are using cookies on your website, you must note the strict legal rules under PECR. You must ensure that your website users take explicit action to consent to non-essential cookies. A cookie banner is a common approach that most businesses with websites take. However, using a cookie banner comes with risk, and you must ensure your consent mechanism is compliant with the PECR rules.
If you need advice on the legal rules around using cookies, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.