It has been some time since the cookie law implementation came to light, with everyone hurriedly updating their websites, and a huge increase in pop-ups whenever you tried to visit a website.
To give you a little recap, a cookie is a piece of code that identifies a user based on their IP address. It can help keep your visitors logged into your website, look after shopping carts, and track visitor behaviour once on your website. Cookies are there to give users a positive browsing experience, and allow site owners to gather more data about their visitors. Thus enabling them to make enhancements to their website.
What are the risks involved of using cookies?
When cookies are used on your browser, without your consent, there are risks involved. Not only do they collect data about you, but they will also share this information with third party advertisers. Those ‘follow-me’ ads that pop up all around the internet, showing a pair of shoes you recently looked at – they are due to cookies.
Here are some things to take into consideration when using cookies:
1. If the cookie data is not anonymised, it can constitute personal data
2. You need to comply with data protection laws and have grounds for processing
3. The usual data breach risks of negative publicity and possible fines apply
4. You need to build trust with your customers, starting with your website.
GDPR & cookies
The GDPR and the 2018 Data Protection Act contain rules about what you should and shouldn’t do when it comes to using cookies to track personal information. There is also a ‘Cookie Law’ which is a higher standard, within the Privacy & Electronic Communication Directive (PECR), 2002.
These regulations are why that when you are browsing the internet, you will come across more websites enabling banners and pop-up cookie notices. This is to ensure that users receive more information on the cookies being used to track them, and how to manage an opt-in. Note ‘opt-in’… your option is always to opt-in. This is no longer predetermined.
So what do you need to do as a business?
Under both the GDPR and the PECR, you need to:
- Provide clear information about the purpose of the cookie, in a non-ambiguous way, that is clearly written.
- Gain consent by giving the user the option to opt-in. No pre-ticked boxes or confusing text, a simple ‘click to accept cookies’ tick box will suffice.
- Users need to be informed about cookies before they are actually placed. Ensure you have a pop-up on your website which appears as soon as the page is loaded, stopping progress until an action has been taken.
Steps to put into action now
Firstly, check what cookies you have, and check whether they are actually necessary. Do you need to collect information on people’s gender, for example? Secondly, take the time to review your Cookie & data protection policies as these need to be up to date, and reflective of the cookies you are actually using. Finally, make sure you are receiving consent from your website visitors.