Table of Contents
As a website owner, you will no doubt have heard about cookies and the huge impact they can have on digital marketing. In most cases, unless exceptions apply, a website deploying cookies will need a website cookie policy. However, a website cookie policy has key pitfalls to watch out for and avoid. This article will explore some common mistakes to avoid in your website cookie policy.
What is a Cookie Policy, and Do I Need One?
To determine if you need a cookie policy, you must first determine whether your website uses cookies. A cookie is a text file stored on a user’s device, such as on their computer or phone.
Websites commonly use cookies for various purposes. For example, to:
- remember a user’s preferences;
- analyse the performance of a website and particular features; or
- track a user’s movements across a website for the purposes of marketing and retargeting ads.
There are various types of cookies. Some are ‘strictly necessary’ or essential for a website to function, and some may have a functional purpose. A website may also deploy cookies for analytics or targeting purposes.
If your website uses cookies, you must follow strict legal rules. The Privacy and Electronic Communications Regulations (PECR) heavily regulate cookies.
A critical legal rule under PECR is to provide comprehensive information to users regarding the use of cookies. Unless limited exceptions apply, you will need a website cookie policy. Using this policy is highly recommended as best practice, even if an exception applies. Websites must provide clear and comprehensive information about the use of cookies.
You should also note that the UK General Data Protection Regulation and Data Protection Act 2018 regulates the use of cookies that involve processing personal information.
This factsheet sets out how your business can become GDPR compliant.
How Your Cookie Policy Can Assist You to Meet Your Consent Obligations
Another fundamental rule under PECR is user consent. Your business must obtain a user’s consent to use cookies unless limited exceptions apply. A common exception to this rule is if the cookies are essential to providing a service over the internet.
However, a cookie policy is not the correct way for you to seek user consent to use cookies. To comply with the strict rules under PECR, user consent to use cookies must be:
- freely given via a positive action;
- clear;
- specific; and
- unambiguous.
Therefore, you will need a separate, valid consent mechanism to allow users to control their preferences and consent to use the cookies. For instance, many businesses display a ‘cookie banner’ that users must click on to opt into specific types of cookies to demonstrate their consent to using cookies.
As a website deploying cookies, you must demonstrate that users consented to this high standard. Cookie consent is a challenging topic, and if in doubt, you should seek legal advice.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Information Should Your Cookie Policy Contain?
Your cookie policy must provide detailed information about all the cookies your website deploys. Understanding and documenting all the relevant cookies are essential steps so that users are aware of the cookies. Users must understand all the cookies used on your website and their impact. Failing to do so will mean that your cookie policy will not comply with the rules under PECR.
Your cookie policy must clearly explain various information, including but not limited to:
- the types of cookies you used;
- what the cookies do and what their purposes are;
- how long they last before they expire;
- if any third parties will access the data collected from cookies; and
- how users can control the use of cookies.
Ensure Your Cookie Policy Is Up to Date
Ensuring that your cookie policy is entirely up to date is essential. Preparing a cookie policy at one stage (for instance, at the start-up stage) and then forgetting about it is a grave mistake. Websites are often updated and may start to deploy additional cookies over time.
For example, a simple, basic website can experience a redesign to deploy further analytics cookies to track website performance.
The UK Information Commissioner’s Office (ICO), which regulates data privacy and enforces the General Data Protection Regulation and PECR in the UK, has issued clear guidance on the changing use of cookies. It is essential to ensure that you inform relevant users of the introduction of new cookies or changes to the use of cookies. Users need to be notified of such changes so that they can decide which cookies they allow you to use.
As such, you should regularly review and update your cookie policy and ensure it is current.
Why Does This Matter?
In recent times, regulators have been scrutinising cookie use more closely. The UK ICO has taken enforcement action against businesses for failing to comply with the relevant legal rules.
Breaches of PECR can have various negative consequences for businesses. For instance, companies can be fined up to £500,000. As such, it is vital to ensure that:
- your business complies with these rules;
- your cookie policy is compliant; and
- you avoid the below-mentioned mistakes.
Cookie laws can seem complicated and daunting to navigate. If you require support with understanding the rules and ensuring your website cookie policy is compliant, you can work with a data protection solicitor to help you comply with them.
What Are Common Mistakes to Avoid in A Cookie Policy?
Some critical mistakes that you should avoid in your website cookie policy are:
- using overly technical language;
- presenting the information in a long and visually difficult format; and
- overcrowding the cookie policy with irrelevant information.
Key Takeaways
In today’s digital world, most websites use some form of cookies. Unless limited exceptions apply, a website using cookies will likely need a cookie policy and will need to seek consent from individuals before using cookies.
Due to the legal rules under the PECR regime, strict legal requirements apply when using cookies. Businesses can often make severe mistakes in their cookie policies, such as failing to correctly set out information about all the cookies used on their websites. Avoiding these mistakes and ensuring your policy is carefully drafted and compliant with the PECR is essential.
If you need advice on a cookie policy, our experienced data, privacy and IT lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.