Website Cookie Guide – Guest Blog by Sam Alford
The EU General Data Protection Regulation (GDPR) is one of the world’s strictest data protection laws.
EU data protection authorities can impose GDPR fines of up to €20 million (roughly £17 million), or 4% of worldwide turnover for the preceding financial year, whichever is higher. Since January 2020 the UK GDPR replaced the EU GDPR in the UK, but for organisations who have business in the EU both apply.
One important and often overlooked aspect of GDPR is use of website cookies. Cookie-related GDPR fines have increased significantly in recent months, with Amazon alone announcing staggeringly huge fines of €746 million this year.
Since the introduction of GDPR legislation on 2018, we’re all used to the concept of website cookie notices, but how do you know whether your cookie notice works in the way it should? Or whether your website is obtaining the correct permission for the cookies it stores?
We asked Sam Alford, experienced Data Processing Officer, Auditor with PPP Management, and author of GDPR: A Game of Snakes and Ladders: How Small Businesses Can Win at the Compliance Game to help clarify the situation and let us know exactly how to handle website cookies.
She very helpfully created this guide for us.
What is a Website Cookie?
Cookies are small data files sent from a website’s server to your web browser, and then stored on your device. Their purpose can differ, but they’re often used to:
- Help customise your website
- Help visitors navigate through your website
- Store useful things such as the contents of your shopping cart
- Improve user experience by personalisation
- Store a visitor’s preferences and login information
Depending on what your website does, cookies can be both an essential or a non-essential part of the site and each type comes with a different requirement:
|Description||Needed to make your website work||Used for some other purpose than making the website work|
|Example||Storing the contents of your shopping cart on an ecommerce site||Advertising tracker cookies such as Facebook Pixel|
What cookies are used by your website?
It’s a good idea to audit and categorise your cookies before deciding on the best action to take for your website.
Your organisation is responsible and accountable for compliance with UK General Data Protection Regulations and the Privacy and Electronic Communications Regulations (PECR). You should periodically check to see if there have been changes to data protection legislation which may affect your website and service.
You need to display a cookie notice if your website uses any non-essential cookies.
The notice should:
- Tell users that the cookies are there,
- Explain what the cookies are doing and why
- Give the website visitor the opportunity to accept or reject any cookies that are not essential to using your website.
This example is based on the cookie notice used on the GOV.UK website.
- Allows third parties to set cookies
When to show your cookie notice
Show the cookie banner every time a user accesses your service until they either accept or reject cookies using the buttons in the cookie notice. Once the user has accepted or rejected cookies:
- The cookie banner should hide the cookie banner message or
- Show a confirmation message — and a ‘hide’ button to let the user close the banner
- Set a cookie to save the user’s preferences for 1 year
Make sure the cookie banner does not:
- Show when the user visits again, once their preferences have been saved
- Set any non-essential cookies unless the user accepted them on a previous visit
Note: If you only use essential cookies on your website then you can choose not to have a cookie banner.
- The cookie name
- A brief description of what the cookie does
- For third party cookies, who is setting the cookie (for example, social media websites)
- When the cookie will expire.
Sam Alford is A DPO, GDPR Consultant and Author of “GDPR: A Game of Snakes and Ladders”
ISBN: 978-0-367-43545-5 (hbk)
ISBN: 978-1-003-00479-0 (ebk)
Sam can be contacted via:
For official government advice visit: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/
Visit us at
Call us on