Skip to content
LegalVision UK

Common Mistakes to Avoid in a Website Cookie Policy

Avatar photo

By Harmanjot Kaur
Senior Associate

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

As a website owner, you will no doubt have heard about cookies and the huge impact they can have on digital marketing. In most cases, unless exceptions apply, a website deploying cookies will need a website cookie policy. However, a website cookie policy has key pitfalls to watch out for and avoid. This article will explore some common mistakes to avoid in your website cookie policy.

To determine if you need a cookie policy, you must first determine whether your website uses cookies. A cookie is a text file stored on a user’s device, such as on their computer or phone. 

Websites commonly use cookies for various purposes. For example, to:

  • remember a user’s preferences; 
  • analyse the performance of a website and particular features; or
  • track a user’s movements across a website for the purposes of marketing and retargeting ads.

There are various types of cookies. Some are ‘strictly necessary’ or essential for a website to function, and some may have a functional purpose. A website may also deploy cookies for analytics or targeting purposes.

If your website uses cookies, you must follow strict legal rules. The Privacy and Electronic Communications Regulations (PECR) heavily regulate cookies. 

A critical legal rule under PECR is to provide comprehensive information to users regarding the use of cookies. Unless limited exceptions apply, you will need a website cookie policy. Using this policy is highly recommended as best practice, even if an exception applies. Websites must provide clear and comprehensive information about the use of cookies. 

You should also note that the UK General Data Protection Regulation and Data Protection Act 2018 regulates the use of cookies that involve processing personal information.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Another fundamental rule under PECR is user consent. Your business must obtain a user’s consent to use cookies unless limited exceptions apply. A common exception to this rule is if the cookies are essential to providing a service over the internet. 

However, a cookie policy is not the correct way for you to seek user consent to use cookies. To comply with the strict rules under PECR, user consent to use cookies must be:

  • freely given via a positive action; 
  • clear; 
  • specific; and 
  • unambiguous.

Therefore, you will need a separate, valid consent mechanism to allow users to control their preferences and consent to use the cookies. For instance, many businesses display a ‘cookie banner’ that users must click on to opt into specific types of cookies to demonstrate their consent to using cookies.

A positive action may also include ticking a box, making a selection or updating a slide.

As a website deploying cookies, you must demonstrate that users consented to this high standard. Cookie consent is a challenging topic, and if in doubt, you should seek legal advice. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Your cookie policy must provide detailed information about all the cookies your website deploys. Understanding and documenting all the relevant cookies are essential steps so that users are aware of the cookies. Users must understand all the cookies used on your website and their impact. Failing to do so will mean that your cookie policy will not comply with the rules under PECR. 

Your cookie policy must clearly explain various information, including but not limited to:

  • the types of cookies you used;
  • what the cookies do and what their purposes are;
  • how long they last before they expire; 
  • if any third parties will access the data collected from cookies; and
  • how users can control the use of cookies. 

You need comprehensive information about your website cookies and their uses so you can accurately define them in your cookie policy. You can find this information by carrying out a detailed cookie audit. This often requires the support of professional website developers to gauge which cookies the website deploys.

Ensuring that your cookie policy is entirely up to date is essential. Preparing a cookie policy at one stage (for instance, at the start-up stage) and then forgetting about it is a grave mistake. Websites are often updated and may start to deploy additional cookies over time. 

For example, a simple, basic website can experience a redesign to deploy further analytics cookies to track website performance.

The UK Information Commissioner’s Office (ICO), which regulates data privacy and enforces the General Data Protection Regulation and PECR in the UK, has issued clear guidance on the changing use of cookies. It is essential to ensure that you inform relevant users of the introduction of new cookies or changes to the use of cookies. Users need to be notified of such changes so that they can decide which cookies they allow you to use. 

As such, you should regularly review and update your cookie policy and ensure it is current. 

Why Does This Matter?

In recent times, regulators have been scrutinising cookie use more closely. The UK ICO has taken enforcement action against businesses for failing to comply with the relevant legal rules.

Breaches of PECR can have various negative consequences for businesses. For instance, companies can be fined up to £500,000. As such, it is vital to ensure that:

  • your business complies with these rules;
  • your cookie policy is compliant; and 
  • you avoid the below-mentioned mistakes.

Cookie laws can seem complicated and daunting to navigate. If you require support with understanding the rules and ensuring your website cookie policy is compliant, you can work with a data protection solicitor to help you comply with them.

Some critical mistakes that you should avoid in your website cookie policy are:

  • using overly technical language; 
  • presenting the information in a long and visually difficult format; and
  • overcrowding the cookie policy with irrelevant information. 

Key Takeaways

In today’s digital world, most websites use some form of cookies. Unless limited exceptions apply, a website using cookies will likely need a cookie policy and will need to seek consent from individuals before using cookies. 

Due to the legal rules under the PECR regime, strict legal requirements apply when using cookies. Businesses can often make severe mistakes in their cookie policies, such as failing to correctly set out information about all the cookies used on their websites. Avoiding these mistakes and ensuring your policy is carefully drafted and compliant with the PECR is essential.

If you need advice on a cookie policy, our experienced data, privacy and IT lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Harmanjot Kaur

Harmanjot Kaur

Senior Associate | View profile

Harmanjot is a Senior Associate in LegalVision’s Corporate & Commercial team. She works closely with startups, SMEs and enterprise clients to provide commercially pragmatic advice. Previously a member of our Growth team, Harmanjot harnesses her experience as a Legal Project Manager to better understand the businesses she works with and uses this knowledge when drafting and negotiating commercial arrangements for her clients.

Qualifications:  Bachelor of Laws, Bachelor of Communications, University of Technology Sydney.

Read all articles by Harmanjot

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Do I Need A Cookie Policy On My Website?

4 Common Challenges Your Company Will Face With the GDPR in the UK

3 Documents Your Company Needs to Demonstrate GDPR Compliance

What Are the Privacy and Electronic Communications Regulations?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards