Following the Information Commissioner’s Office (ICO) statement on the use of online cookies, it is evident that the ICO are turning their attention to cookie compliance and will continue to do so in the short to medium term. Our recent webinar on the topic covered the possible implications for organisations as well as an overview of the law and tips for good practice. This blog summarises the key takeaways from our webinar relating to cookie compliance in 2024.
Key Takeaways
- Carry out a cookie audit. This allows the organisation to find out exactly what cookies its website uses. Cookies can change over time and so it is beneficial to carry this out regularly e.g. annually or earlier if there has been a change to the functionality of the website.
- Whether or not cookies are collecting personal data, organisations need to be transparent on the use of cookies on their website. This would normally be in the form of a Cookie Notice located at the bottom of the webpages. Focus should be on what cookies they are using, their purpose and how long they last for and any third-party cookies should be identified clearly. Organisations should clearly inform the user of the use of cookies and separate out the different kinds of cookies which are used. If the website uses a large number of cookies, it should categorise these and inform the user of the categories used.
- From carrying out a cookie audit, the organisation should identify what cookies used are ‘essential’ and which are ‘non-essential’. As well as documenting these in the Cookie Notice, some thought will need to be given as to how consent will be obtained for non-essential cookies. The law provides that websites must have opt-in consent for any non-essential cookies and that implied consent and pre-ticked boxes are not valid. Consent must be of ‘GDPR – level’ consent. Examples of non-essential cookies include:
- Cookies used for online advertising
- Cookies used to obtain statistical data on website visitors such as web analytics cookies
- Third-party cookies
- Cookies used to ‘remember’ a user
Therefore, if an organisation is using these or similar non-essential cookies, the organisation would need opt-in consent to do so. A practical and customary way to achieve this is through a cookie consent mechanism available to the user on landing on the website. A brief explanation should be given of the cookies used and it is useful to provide a link to the wider Cookie Notice (see above). The non-essential cookies should be listed (or categorised if there are many) with a consent function along-side each. Please note that non-essential cookies should be set to ‘off’ as default. The ICO advises that organisations should make it as easy for users to reject non-essential cookies as it is to accept non-essential cookies, therefore we recommend including an ‘Accept All’, ‘Manage Cookies’ and ‘Reject all’ function into the consent mechanism.
- You do not need consent for essential cookies. Essential cookies are those which provide to a user any necessary service, any service requested by a user, or to support the functionality of your website. These include cookies required for user input (i.e. completing an online registration form), account authentication (i.e. login) and security (i.e. to detect failed login attempts/fraud prevention).
- A cookie icon should be visible on the website at all times as users might initially consent to the use of a type of cookie before changing their mind. Having an icon visible allows the user to easily change their preferences.
- Avoid the use of cookie walls. Cookie walls ask users to consent to the use of cookies before they can access certain webpages which sit behind the cookie wall. This would likely not constitute valid consent as users cannot access the website unless consent is given. Therefore, consider the location and functionality of the consent mechanism carefully.
- The ICO considers other types of tracking technology as likely to be treated the same as the traditional understanding of cookies therefore be cautious before adopting technology which says it is ‘cookie-less’ but which actually has the same or similar effect as the requirements for cookies may well still apply.
If you have questions about Cookie Consent and the ICO's requirements please contact our specialist team on 03330 430350.
You can access the recording of our Cookie Compliance webinar here.