The EU General Data Protection Regulation (GDPR) is one of the world’s strictest data protection laws.
EU data protection authorities can impose GDPR fines of up to €20 million (roughly £17 million), or 4% of worldwide turnover for the preceding financial year, whichever is higher. Since January 2020 the UK GDPR replaced the EU GDPR in the UK, but for organisations who have business in the EU both apply.
One important and often overlooked aspect of GDPR is use of website cookies. Cookie-related GDPR fines have increased significantly in recent months, with Amazon alone announcing staggeringly huge fines of €746 million this year.
Introduction to Sam Alford
Since the introduction of GDPR legislation on 2018, we’re all used to the concept of website cookie notices, but how do you know whether your cookie notice works in the way it should? Or whether your website is obtaining the correct permission for the cookies it stores?
We asked Sam Alford, experienced Data Processing Officer, Auditor with PPP Management, and author of GDPR: A Game of Snakes and Ladders: How Small Businesses Can Win at the Compliance Game to help clarify the situation and let us know exactly how to handle website cookies.
She very helpfully created this guide for us.
What is a Website Cookie?
Cookies are small data files sent from a website’s server to your web browser, and then stored on your device. Their purpose can differ, but they’re often used to:
- Help customise your website
- Help visitors navigate through your website
- Store useful things such as the contents of your shopping cart
- Improve user experience by personalisation
- Store a visitor’s preferences and login information
Depending on what your website does, cookies can be both an essential or a non-essential part of the site and each type comes with a different requirement:
Cookie Type | Essential | Non-essential |
---|---|---|
Description | Needed to make your website work | Used for some other purpose than making the website work |
Example | Storing the contents of your shopping cart on an ecommerce site | Advertising tracker cookies such as Facebook Pixel |
Required Website Action | Cookie policy | Cookie notice Cookie policy |
What cookies are used by your website?
It’s a good idea to audit and categorise your cookies before deciding on the best action to take for your website.
If you don’t know what cookies your website uses, tools like CookieServe help you find out. (https://www.cookieserve.com/).
Remember:
Your organisation is responsible and accountable for compliance with UK General Data Protection Regulations and the Privacy and Electronic Communications Regulations (PECR). You should periodically check to see if there have been changes to data protection legislation which may affect your website and service.
Cookie Notices
You need to display a cookie notice if your website uses any non-essential cookies.
The notice should:
- Tell users that the cookies are there,
- Explain what the cookies are doing and why
- Give the website visitor the opportunity to accept or reject any cookies that are not essential to using your website.
The example above is based on the cookie notice used on the GOV.UK website.
Keep the text in the cookie notice box as short as possible but ensure it is an accurate description of how you use cookies. Make sure you include the name of the website in the banner heading to help users understand which cookies you’re talking about. You will need to change the example cookie banner text if your service:
- Allows third parties to set cookies
- Uses cookies for reasons other than collecting analytics information or remembering the user’s settings
When to show your cookie notice
Show the cookie banner every time a user accesses your service until they either accept or reject cookies using the buttons in the cookie notice. Once the user has accepted or rejected cookies:
- The cookie banner should hide the cookie banner message or
- Show a confirmation message — and a ‘hide’ button to let the user close the banner
- Set a cookie to save the user’s preferences for 1 year
Make sure the cookie banner does not:
- Show when the user visits again, once their preferences have been saved
- Set any non-essential cookies unless the user accepted them on a previous visit
Note: If you only use essential cookies on your website then you can choose not to have a cookie banner.
Cookie Policies
Your cookie policy should be available from the moment your website goes live and must be written for your business rather than just copied and pasted from elsewhere. The cookie policy must be written in plain English and list each cookie individually including:
- The cookie name
- A brief description of what the cookie does
- For third party cookies, who is setting the cookie (for example, social media websites)
- When the cookie will expire.
Once your cookie policy is finalized and uploaded to your website, provide links to it from both the website footer and the cookie notice. Don’t be tempted to bury the cookie policy within your ‘Terms and Conditions’.
Further information
Sam Alford is A DPO, GDPR Consultant and Author of “GDPR: A Game of Snakes and Ladders”
ISBN: 978-0-367-43545-5 (hbk)
ISBN: 978-1-003-00479-0 (ebk)
Sam can be contacted via:
Mobile: +44 (0) 7813 653347
E-mail: sam.alford@pppmanagement.co.uk
Website: www.pppmanagement.co.uk
For official government advice visit: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/