Keep your web cookies legal

Abstract graphic with "cookies" written on it

It is illegal to use web cookies on your website without first seeking permission from users, and with the General Data Protection Regulation (GDPR) in effect since May 2018, the rules have tightened up again. What does this mean for your website?

To comply with web cookie laws, businesses are required to remove web cookies from their websites completely or to install a method of requesting user consent - such as pop-up windows on a home page.

You must also explain to people how you use web cookies and what data they collect.

What are web cookies?

So what are cookies and how do they work? "Cookies act as a record of where you have been online, such as which sites and pages you have visited," says Stuart Mackintosh, managing director of IT consultancy OpusVL.

"By installing a piece of code on to a site user's computer, they enable websites to remember consumers and their online preferences, such as login details, surfing history and buying habits. Generally, they are beneficial - without them, online shopping would be much harder," he points out.

The web cookies law

According to the Information Commissioner's Office (ICO), the body responsible for regulating the law, most UK business sites use web cookies in some form or another.

Mackintosh advises website owners to carry out an audit to assess what web cookies are used, what purpose they serve and how intrusive they are.

"Crucially, the law states that consent must only be sought if personal data is being stored about a consumer," he explains.

"If cookies are used purely to manage the transaction process, by remembering what is in the consumer's basket, for instance, they are deemed 'strictly necessary' and consent is not required."

The new, wider definition of personal data introduced by the GDPR, however, means that cookies that might not have been caught previously may now be classed as storing personal data. IP addresses and other online identifiers now qualify as personal data. Personal data that has been pseudonymised may also qualify depending upon how easy it is to identify an individual from that data (whether on its own or in combination with other data).

The Information Commissioner has produced helpful guidance on web cookies which will help you decide whether your cookies qualify as strictly necessary and whether consent is required.

Third-party web cookies

However, the situation is more complex if your website uses third-party web cookies.

"If you use or allow cookies to track visitors from any external sites, or use third-party advertisements, both of which are likely to store personal information about visitors for marketing purposes, you will need to provide visitors with a clear method of opting out," Mackintosh stresses.

Consent and opting out from web cookies

Since more cookies will now contain personal data, the GDPR’s consent requirements come into play. Implied consent is therefore unlikely to be sufficient, ruling out pop-ups with simple messages like “by using our site, you accept our cookies”. Advice simply to adjust browser settings will also not be enough.

Offering users the opportunity to opt out of cookies that are not strictly necessary before those cookies are set is likely to be the best option in many cases. Control should also be “granular”, meaning that if there are different categories of cookie on your site, users should be able to pick which to accept and which to opt out of.

This can be achieved in several ways, the most obvious being a pop-up window. "But pop-ups are intrusive and web users typically don't like them," Mackintosh points out.

An alternative is to set up a permanent element on a home page. "For instance, you could build a box on the right-hand side that slides up and down, displaying the site's cookie status."

For websites that sell products or those that require users to register first, the most straightforward way to secure consent for web cookies is to direct customers to a terms-and-conditions page; however, it should be kept in mind that cookie and privacy information should be prominently displayed, and caution should be taken to avoid burying it in a lengthy set of terms and conditions that customers may not read in full.

To comply with best practice, you should also set out a privacy policy on your site that explains what web cookies are and how your business uses them. "It's worth making sure that users can link directly to this from anywhere on your site," advises Mackintosh.

It is also important to keep access to web cookie information and controls close to hand as individuals have the right to withdraw their consent at any time under the GDPR. People must be able to change their minds easily.

Whichever route you choose, the use of web cookies needs to be clearly displayed on your website. "Don't make things obscure because this could lead to complaints, or worse, you could be prosecuted," Mackintosh concludes.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.