Website Cookie Guide - Guest Blog by Sam Alford

The EU General Data Protection Regulation (GDPR) is one of the world’s strictest data protection laws.

EU data protection authorities can impose GDPR fines of up to €20 million (roughly £17 million), or 4% of worldwide turnover for the preceding financial year, whichever is higher. Since January 2020 the UK GDPR replaced the EU GDPR in the UK, but for organisations who have business in the EU both apply.

One important and often overlooked aspect of GDPR is use of website cookies. Cookie-related GDPR fines have increased significantly in recent months, with Amazon alone announcing staggeringly huge fines of €746 million this year

GDPR Website Cookie Guide by Sam Alford

Since the introduction of GDPR legislation on 2018, we’re all used to the concept of website cookie notices, but how do you know whether your cookie notice works in the way it should? Or whether your website is obtaining the correct permission for the cookies it stores?

We asked Sam Alford, experienced Data Processing Officer, Auditor with PPP Management, and author of GDPR: A Game of Snakes and Ladders: How Small Businesses Can Win at the Compliance Game to help clarify the situation and let us know exactly how to handle website cookies.

She very helpfully created this guide for us.

What is a Website Cookie?

Cookies are small data files sent from a website’s server to your web browser, and then stored on your device. Their purpose can differ, but they’re often used to:  

  • Help customise your website 
  • Help visitors navigate through your website  
  • Store useful things such as the contents of your shopping cart 
  • Improve user experience by personalisation  
  • Store a visitor’s preferences and login information 


Depending on what your website does, cookies can be both an essential or a non-essential part of the site and each type comes with a different requirement:
 

Cookie Type Essential Non-essential
Description Needed to make your website work Used for some other purpose than making the website work
Example Storing the contents of your shopping cart on an ecommerce site Advertising tracker cookies such as Facebook Pixel
Required Website Action Cookie policy Cookie notice
Cookie policy

What cookies are used by your website?

It’s a good idea to audit and categorise your cookies before deciding on the best action to take for your website.

If you don’t know what cookies your website uses, tools like CookieServe help you find out. (https://www.cookieserve.com/).

Remember:
Your organisation is responsible and accountable for compliance with UK General Data Protection Regulations and the Privacy and Electronic Communications Regulations (PECR). You should periodically check to see if there have been changes to data protection legislation which may affect your website and service.

Cookie Notices

You need to display a cookie notice if your website uses any non-essential cookies.

The notice should:

  • Tell users that the cookies are there,
  • Explain what the cookies are doing and why
  • Give the website visitor the opportunity to accept or reject any cookies that are not essential to using your website.


This example is based on the cookie notice used on the GOV.UK website

Keep the text in the cookie notice box as short as possible but ensure it is an accurate description of how you use cookies. Make sure you include the name of the website in the banner heading to help users understand which cookies you’re talking about. You will need to change the example cookie banner text if your service: 

  • Allows third parties to set cookies 
  • Uses cookies for reasons other than collecting analytics information or remembering the user’s settings 

When to show your cookie notice

Show the cookie banner every time a user accesses your service until they either accept or reject cookies using the buttons in the cookie notice. Once the user has accepted or rejected cookies: 

  • The cookie banner should hide the cookie banner message or 
  • Show a confirmation message — and a ‘hide’ button to let the user close the banner 
  • Set a cookie to save the user’s preferences for 1 year 


Make sure the cookie banner does not:
 

  • Show when the user visits again, once their preferences have been saved 
  • Set any non-essential cookies unless the user accepted them on a previous visit 


Note: If you only use essential cookies on your website then you can choose not to have a cookie banner.
 

Cookie Policies

Your cookie policy should be available from the moment your website goes live and must be written for your business rather than just copied and pasted from elsewhere. The cookie policy must be written in plain English and list each cookie individually including: 

  • The cookie name 
  • A brief description of what the cookie does 
  • For third party cookies, who is setting the cookie (for example, social media websites)  
  • When the cookie will expire. 


Once your cookie policy is finalized and uploaded to your website, provide links to it from both the website footer and the cookie notice. Don’t be tempted to bury the cookie policy within your ‘Terms and Conditions’.
 

Cookie Policy Contents

Information about essential and non-essential cookies

(For illustration purposes we’ve used cookies set by Wordpress.org) 

Cookies
Cookies are small files saved on your phone, tablet or computer when you visit a website.

We use cookies to make [website name] work and collect information about how you use our service.

Essential Cookies
Essential cookies keep your information secure while you use [website name]. We do not need to ask permission to use them.

CookieDomainTypeDescriptionDuration
devicePixelRatiowordpress.orgFunctionalThis cookie is used to make the site responsive to the user’s screen size.session

Non-essential Cookies
With your permission, we use Google and YouTube Analytics to collect data about how you use [website name]. This information helps us to improve our service.

Google and YouTube are not allowed to share our analytics data with anyone.

CookieDomainTypeDescriptionDuration
_ga.wordpress.orgAnalyticsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.2 years
_gid.wordpress.orgAnalyticsInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website’s performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.1 day
CONSENT.youtube-nocookie.comAnalyticsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.2 years
_gat_UA-52447-1.wordpress.orgPerformanceA variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.1 minute

Have an agreed process for updating your cookie policy when you need to add or remove a cookie, and make sure the relevant people on your team know what the process is.

You can see an example here. https://design-system.service.gov.uk/patterns/cookies-page/.

Tracking/Other Cookies (optional)

If your website uses tracking cookies/pixels etc or if your service providers use cookies you should provide this information in a similar manner as above e.g.

List of Tracking/other Cookies
{identify cookies, describe what they are for, provide links to any advertisers, networks and pixels and websites/privacy notices}

Managing Cookies

It is helpful to use your cookie policy to inform users how to manage cookies on their devices.

Managing Cookies
It is possible to set up your browser to allow or refuse cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via these links:

Google Chrome: https://support.google.com/chrome/answer/95647

Mozilla: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Microsoft: https://support.microsoft.com/en-gb/help/17442/windows

Apple: https://support.apple.com/en-gb/guide/safari/manage-cookies-and-wte-data-sfri11471/mac

Provide Your Company Details

Your website should include details of who owns it, your registered address and company number (if appropriate) and contact details.

Updates

Update your cookies page when you change the cookies you’re using. Do not set any new non-essential cookies until the user has given their consent again.

FURTHER INFORMATION

Sam Alford is A DPO, GDPR Consultant and Author of “GDPR: A Game of Snakes and Ladders”

ISBN: 978-0-367-43545-5 (hbk)
ISBN: 978-1-003-00479-0 (ebk)

Sam can be contacted via:

Mobile: +44 (0) 7813 653347
E-mail: sam.alford@pppmanagement.co.uk
Website: www.pppmanagement.co.uk

For official government advice visit: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/