What are cookies?
For the non-technical reader, cookies are a piece of technology that sit on an individual device, which can feed you information and amend what individuals see on your website.
The obvious example is the cookie that “remembers” what a shopper places in their basket so that it remains there when they change pages to checkout.
How are cookies used?
Cookies are used for a variety of reasons. Some are necessary for your site to function, while others are optional – with capabilities such as remembering language preferences for your next visit.
Cookies can track user behaviour, record how long a viewer spends on a particular page, which links they click, and more. This can be extremely useful for assessing what is working on your site. If 90% of users spend five minutes on your “donate now” page, then the page may be deemed effective and attention-grabbing.
The most interesting category is arguably marketing/social media cookies. These have the power to help you reach a wider audience by, for example, showing your adverts to people with similar browsing histories to those visiting your site. If people visiting your site also tend to spend 10% of their browsing time on tennis websites, you may wish to place your adverts on similar tennis sites.
Marketing cookies are generally hosted by large companies like Google or Meta, with access to large amounts of data on individuals’ browsing habits and profiles, for better targeting, but you will be responsible for compliance if you are placing any cookies on your site, regardless of the involvement of third parties.
What does the law say about cookies?
There are two regimes that apply when you use cookies. The first is the Privacy and Electronic Communications Regulations (known as PECR), and the other is the UK GDPR. The UK GDPR will only apply if the cookie uses personal data - such as an IP address, or a very detailed profile which might be capable of identifying a specific person.
PECR states:
- You must have consent to place any cookie that is not strictly necessary.
- You must give users of your website enough information to understand what cookies are being placed.
The first requirement is why you see cookie banners whenever you open a new website. The threshold for consent is the same as that for the UK GDPR, therefore there must be an unambiguous, informed indication of wishes. The statement “by using this website you agree to the use of cookies” is not compliant. Pre-selected acceptance is also likely to be non-compliant.
The second requirement is possibly more difficult to comply with. The approach to this varies wildly, with no clear guidance on what information is enough to meet this requirement. Our advice is to explain in clear and plain language, how the cookie benefits them or you. Technical language is unlikely to be helpful. Many organisations (including the ICO) use a table, and this can be very effective.
What about the UK GDPR?
If the cookies you are setting are using any personal data, such as an IP address, then you will have to comply with the law on processing personal data as well as PECR. This means ensuring that the use is fair, transparent, and has a legal basis. If the cookie is not strictly necessary, then the legal basis is likely consent. You must also ensure that cookies are covered in your privacy notice information. How you provide the information is up to you, as long as it's provided.
Consequences of getting it wrong
In short, you can no longer use the information that you have gathered unlawfully, so any insights and reverse marketing opportunities are lost. There is also the possibility of an ICO fine if the breach is significant, as well as claims from individuals.
With privacy groups becoming more aware of cookies, and seeking to encourage enforcement, it's a good time to evaluate how you're using cookies to both maximise potential and ensure compliance.
Vicki Bowles is a barrister and partner at VWV
Related Articles
