Do I need one of those awful cookie popups?
- Why your website might be using Cookies whether you know it or not
- How the GDPR has made things complicated
- Whether you need Cookie Control on your site
While the following article has been updated to reflect the new guidance, we have written a complete update on the position as it stands now with regard to cookies, cookie notifications and cookie consent mechanisms.
You should already have seen ours, but you can take another look here if you’re the masochistic type.
If you’ve been following our series of articles on the implementation of the EU General Data Protection Regulation, you may be rightly asking yourself what impact the GDPR will have on the use of website cookies, and what you need to do to make your small business website compliant.
We’re going to look at:
Why cookies are important to website owners
If you’re not sure what cookies are, there’s plenty of good content online to get you up to speed, so I’m not going to address that here. You can’t go far wrong with Wikipedia’s article as a starting point.
Suffice to say, it would the exception rather than the rule, for a website not to use any cookies at all – so if you run a small business website (or pretty much any other type for that matter), you want to give this some thought.
Let’s quickly look at some typical uses of cookies so that you’ve got some context on the type of functionality that they enable:
- Social media marketing (such as targeted Facebook advertising) rely on the placement of cookies to work;
- Content Management Systems, such as WordPress, use a selection of cookies to manage user logins, blog commenting and more.
It’s therefore pretty clear why we need to get a grip on using cookies in a compliant manner – without them, we would lose a number of significant tools.
Why cookies have suddenly got more complicated
The GDPR was never meant to be the be-all and end-all of privacy law – it was always meant to be introduced at the same time as a separate piece of legislation, the Regulation on Privacy and Electronic Communications (or more commonly, the ePrivacy Regulation). Both new regulations were due to replace existing law*.
Whilst the GDPR provides a broad framework of regulation covering a wide range of scenarios, the ePrivacy Regulation was intended to address the specific detail of the regulation of electronic communications, which includes Cookies. The GDPR says virtually nothing about cookies specifically.
You can probably sense that there is a ‘but’ coming.
But – the problem is that the ePrivacy Regulation is not going to be ready in time to coincide with the GDPR, and the GDPR is going ahead anyway – so we’re left in a slightly bizarre limbo situation:
- The GDPR comes into force on 25th May 2018;
- The ePrivacy Regulation is unlikely now to come into force until 2019;
- That means that the existing ePrivacy Directive, which was due to be replaced, is still in force;
- We do know what the current draft of the ePrivacy Regulation says – so, subject to any changes, we’ve got a reasonable idea what it’s going to say;
- But as things stand, we’ll be in a situation where we’re trying to comply with two pieces of legislation that were never really designed to work together, and which – in some ways – conflict with each other.
The specific issue with cookies
So that leads us to our specific issue in relation in cookies.
Under the GDPR, most cookies are going to fall into the category of ‘personal data’ because they are capable of identifying an individual and can be used to provide website personalization and even profiling of individuals.
As a result, you are going to need a legal basis for processing the data contained within those cookies – and that legal basis is most likely going to be the CONSENT of the individual.
Under the previous rules, the idea of ‘implied consent’ was ok.
The GDPR mandates that implied consent is no longer valid.
Instead, consent must be explicit and indicated by an ‘affirmative action’ on the part of the individual. Therefore for consent to be valid, you have to give the individual the choice of whether to consent, before any cookies are used.
- Website development: Your website must be developed in such a way that no such cookies are used when the person first lands on the page. The cookies can only be set when they have ticked an ‘I consent’ box or something similar. Technically, this can be quite complex, and it is likely to result in a less-than-ideal user experience when they visit your site;
It’s not hard to imagine a scenario where we’re all forced to make (potentially complex) changes to our websites that force visitors to make decisions about whether to allow cookies or not before they even get to see our precious, carefully designed homepages.
Is consent necessary?
So far in this article, I’ve already made specific references to ‘cookies that require consent’.
I’ve done that because you should not assume that all cookies DO require consent.
Guidance that has been issued from the ICO since the implementation of the GDPR has helped to clarify this issue somewhat. What we now know is that:
- When it comes to the placement of cookies on a website, consent is the only relevant lawful basis (you cannot, for example, rely on one of the other GDPR lawful grounds such as Legitimate Interest). So, yes – unless your cookies fall into the exception that I describe below, consent is necessary;
- Where consent is necessary, you have to gain that consent before any cookies are set;
- There is an exemption for cookies that are considered ‘essential’ in order to perform a particular online service on someone’s behalf. For these types of ‘necessary’ cookies, no specific consent is required. An example of such ‘essential’ cookies would be cookies that are used to remember basket items during an online shopping process.
So, as things stand, the situation would appear to be this if you want to be compliant:
- You need to determine exactly what cookies are in use on your website – this is going to be essential in any event;
- You’ll need to make a determination (one that you’re prepared to stand by) about which, if any, of those cookies are ‘essential’ and therefore do not require consent;
- If any of the cookies in use on your site do require consent, then you will either need to:
- Remove them; or
- Add some form of cookie control functionality to your website to ensure that the cookies are only set in the event of the user actively consenting.
Both of these actions will involve some sort of technical development, so unless you’re into that sort of thing yourself, you’re going to need to speak to whoever looks after your site.
We’re going to move on to address some of the more commonly used types of cookies, with a proposed approach to each.
E-commerce carts and baskets
In previous legislation, including the existing ePrivacy Directive, there is an exemption to the requirement to gain consent for cookies that are ‘strictly necessary’ for the purpose of fulfilling the user’s request.
Cookies are essential to provide this type of functionality, and therefore their use is seen as legitimate under the prevailing ePrivacy Directive. There is no reason to believe that that will change under the ePrivacy Regulation.
From a GDPR perspective, we would also suggest that the use of such cookies is legitimate as part of fulfilling a contract to which the individual is party. This is an additional lawful basis for processing the data (Article 6(1)(b)).
The use of website analytics, and Google Analytics in particular, is the category of cookies that will arguably affect the largest proportion of small business websites.
When the GDPR was first implemented, there was a distinct grey area around whether the general rules relating to cookies – and in particular the need to gain consent in advance for their use – would really apply to the types of cookies placed by analytics tools.
Essentially, I think we were all hoping beyond hope that they wouldn’t. Because if you need to ask a website visitor whether it’s OK for you to track their visit in your analytics, then inevitably your analytics will only ever give you part of the picture of your site’s performance. It undermines the very purpose of using analytics in the first place.
Guidance subsequently issued by the UK ICO has given significant clarity to this issue – it’s just not the answer that many people were hoping for:
Essentially, under the privacy regulation (PECR) and the GDPR, there is no specific exemption for analytics cookies, and so the same rules requiring specific, valid consent apply.
Technically, therefore, we must ensure that a visitor to our website has expressly consented to the use of analytics cookies before we can run the relevant scripts to track their visit.
Incidentally, there are some broader privacy considerations that should be borne in mind when using analytics (usually Google Analytics):
- You do not, intentionally or inadvertently, send any data to Google Analytics that allows the identification of an individual. Not only would this be a privacy issue, it is also a breach of the Google Analytics Terms of Service. The most common situation in which this occurs is when personal data is included dynamically within a page URL
- Your Google Analytics tracking code includes the optional ‘optimizeIp’ declaration, which has the effect of partially obscuring the user’s IP address.
These are both clearly technical configuration issues – if they don’t mean anything to you, you will need to discuss them with whoever looks after your analytics.
Analytics summary: It is now clear that, technically, in order to comply with all of the relevant regulations and legislation, we must actively gain the consent of our website visitors before any cookies are set for the purpose of analytics. This will require some form of cookie control mechanism to be implemented on websites, in order to ensure that all cookie scripts are ‘held back’ until the user actively gives consent – and that mechanisms are put in place to allow users to withdraw that consent at a later stage.
I’ll repeat my previous disclaimer: this is not legal advice, and you need to make your own informed decision about how you handle these cookies.
Social Media Marketing
The use of social media marketing, most commonly Facebook targeted advertising, represents a somewhat complex situation from a privacy perspective.
As part of this obligation, the Facebook advertising Terms of Service for advertisers includes a requirement that all advertisers display a ‘clear and prominent notice’ about the use of the cookies and other technologies that are required for such advertising.
So, any website that uses the Facebook (or similar) pixel to allow the profiling of web visitors (e.g. for the purposes of targeted marketing campaigns) requires the consent of the individual for the placement of the cookies that are associated with that functionality.
In the past, this consent could be based upon the ‘implied consent’ model but, as we have seen, such implied consent will no longer be valid under the GDPR.
As a result, if you plan to continue to use social media marketing, including the Facebook pixel for targeted ads, you will need to ensure that your website meets this consent requirement.
You cannot load the pixel code that generates the cookies until the individual has provided a clear, affirmative action confirming their consent. Very few websites are currently configured to work in this way, so this will likely require your attention.
These types of cookies, especially when they are generated by a software plugin, can be a little more complex to deal with from a privacy perspective – because it may be necessary to adjust the code that delivers those cookies to ensure that they are only set when an individual has given their consent.
Whether this is possible or not will depend on the exact nature of the cookie itself, and it is therefore likely that you will need to speak with whoever looks after your site.