Do I need one of those awful cookie popups?
In this article, we’ll look at:
- Why your website might be using Cookies whether you know it or not
- How the GDPR has made things complicated
- Whether you need Cookie Control on your site
We are in the process of reviewing this new guidance, and will update this article in due course. For now, refer to the ICO guidelines for the most up-to-date information, but the key messages from the updated guidance are as follows:
- Instead, you need to get explicit consent from your visitors before any cookies are set, and this even applies to Analytics cookies
You should already have seen ours, but you can take another look here if you’re the masochistic type.
If you’ve been following our series of articles on the implementation of the EU General Data Protection Regulation, you may be rightly asking yourself what impact the GDPR will have on the use of website cookies, and what you need to do to make your small business website compliant.
We’re going to look at:
Why cookies are important to website owners
If you’re not sure what cookies are, there’s plenty of good content online to get you up to speed, so I’m not going to address that here. You can’t go far wrong with Wikipedia’s article as a starting point.
Suffice to say, it would the exception rather than the rule, for a website not to use any cookies at all – so if you run a small business website (or pretty much any other type for that matter), you want to give this some thought.
Let’s quickly look at some typical uses of cookies so that you’ve got some context on the type of functionality that they enable:
- Social media marketing (such as targeted Facebook advertising) rely on the placement of cookies to work;
- Content Management Systems, such as WordPress, use a selection of cookies to manage user logins, blog commenting and more.
It’s therefore pretty clear why we need to get a grip on using cookies in a compliant manner – without them, we would lose a number of significant tools.
Why cookies have suddenly got more complicated
The GDPR was never meant to be the be-all and end-all of privacy law – it was always meant to be introduced at the same time as a separate piece of legislation, the Regulation on Privacy and Electronic Communications (or more commonly, the ePrivacy Regulation). Both new regulations were due to replace existing law*.
Whilst the GDPR provides a broad framework of regulation covering a wide range of scenarios, the ePrivacy Regulation was intended to address the specific detail of the regulation of electronic communications, which includes Cookies. The GDPR says virtually nothing about cookies specifically.
You can probably sense that there is a ‘but’ coming.
But – the problem is that the ePrivacy Regulation is not going to be ready in time to coincide with the GDPR, and the GDPR is going ahead anyway – so we’re left in a slightly bizarre limbo situation:
- The GDPR comes into force on 25th May 2018;
- The ePrivacy Regulation is unlikely now to come into force until 2019;
- That means that the existing ePrivacy Directive, which was due to be replaced, is still in force;
- We do know what the current draft of the ePrivacy Regulation says – so, subject to any changes, we’ve got a reasonable idea what it’s going to say;
- But as things stand, we’ll be in a situation where we’re trying to comply with two pieces of legislation that were never really designed to work together, and which – in some ways – conflict with each other.
The specific issue with cookies
So that leads us to our specific issue in relation in cookies.
Under the GDPR, most cookies are going to fall into the category of ‘personal data’ because they are capable of identifying an individual and can be used to provide website personalization and even profiling of individuals.
As a result, you are going to need a legal basis for processing the data contained within those cookies – and that legal basis is most likely going to be the CONSENT of the individual.
Under the previous rules, the idea of ‘implied consent’ was ok.
The GDPR mandates that implied consent is no longer valid.
Instead, consent must be explicit and indicated by an ‘affirmative action’ on the part of the individual. Therefore for consent to be valid, you have to give the individual the choice of whether to consent, before any cookies are used.
- Website development: Your website must be developed in such a way that no such cookies are used when the person first lands on the page. The cookies can only be set when they have ticked an ‘I consent’ box or something similar. Technically, this can be quite complex, and it is likely to result in a less-than-ideal user experience when they visit your site;
It’s not hard to imagine a scenario where we’re all forced to make (potentially complex) changes to our websites that force visitors to make decisions about whether to allow cookies or not before they even get to see our precious, carefully designed homepages.
Is consent necessary?
So far in this article, I’ve already made specific references to ‘cookies that require consent’.
I’ve done that because you should not assume that all cookies DO require consent.
Firstly, as you may have seen in our article on the lawful grounds for processing data, there are 6 different grounds on which processing of personal data can be seen as lawful. Only one of those relates to consent.
In addition to that, the draft ePrivacy Regulation (which at the moment can only give us a suggestion of what the finalised regulation might contain) includes a number of pragmatic rules that declare that certain ‘non-privacy-invasive’ cookies (such as Analytics) will not require user consent. That’s good news, but right now we need to deal with the law as it is, not as it will potentially be.
So, in this limbo period that I’ve referred to, the situation would appear to be this if you want to be compliant:
- You need to determine exactly what cookies are in use on your website – this is going to be essential in any event;
- You’ll need to determine whether any of those cookies require individuals’ prior consent before they’re used, or whether there is a different lawful basis for using them;
- If any of the cookies in use on your site do require consent, then you will either need to:
- Adjust your website so that they are no longer used; or
- Add some form of cookie control functionality to your website to ensure that the cookies are only set in the event of the user actively consenting.
Both of these actions will involve some sort of technical development, so unless you’re into that sort of thing yourself, you’re going to need to speak to whoever looks after your site.
We’re going to move on to address some of the more commonly used types of cookies, with a proposed approach to each.
E-commerce carts and baskets
In previous legislation, including the existing ePrivacy Directive, there is an exemption to the requirement to gain consent for cookies that are ‘strictly necessary’ for the purpose of fulfilling the user’s request.
Cookies are essential to provide this type of functionality, and therefore their use is seen as legitimate under the prevailing ePrivacy Directive. There is no reason to believe that that will change under the ePrivacy Regulation.
From a GDPR perspective, we would also suggest that the use of such cookies is legitimate as part of fulfilling a contract to which the individual is party. This is an additional lawful basis for processing the data (Article 6(1)(b)).
The use of website analytics, and Google Analytics in particular, is the category of cookies that will arguably affect the largest proportion of small business websites.
We get a hint from the draft ePrivacy Regulation that analytics will be considered as ‘non-privacy-invasive’ cookies that will not require consent, which would be good news.
In the meantime, we will require a different approach under the GDPR. In my opinion, and it is just an opinion, is that there are two alternative approaches to use under the GDPR:
‘Not personal data’
If implemented properly, it is arguable that Analytics Cookies are not ‘personal data’ in the first place, and therefore none of the requirements of the GDPR apply, and consent is therefore not required.
For this to be a valid argument, it is important to ensure that:
- You do not, intentionally or inadvertently, send any data to Google Analytics that allows the identification of an individual. Not only would this be a privacy issue, it is also a breach of the Google Analytics Terms of Service. The most common situation in which this occurs is when personal data is included dynamically within a page URL
- Your Google Analytics tracking code includes the optional ‘optimizeIp’ declaration, which has the effect of partially obscuring the user’s IP address.
These are both clearly technical configuration issues – if they don’t mean anything to you, you will need to discuss them with whoever looks after your analytics.
Legitimate interests under the GDPR
As an alternative to the approach above, it is arguable that it is ‘in the legitimate interest of the data controller’ to use analytics to understand the usage and functionality of the website.
You should note that the ‘legitimate interest’ argument will always need to be used with caution. The regulation requires that such an interest must be balanced against the overriding interest of the individual in having control over their personal data, and needs to take account of matters such as what the individual might reasonably expect, given their relationship with you.
Long story short, if you plan to use the ‘legitimate interest’ lawful basis for processing any type of data, you need to understand the detail of the GDPR regulation that covers it (Article 6(1)(f), and associated recitals). In particular, it’s important to be able to demonstrate that you have carried out a Legitimate Interest Analysis, a more formal method of showing how you have come to the conclusion that it is indeed legitimate to process this data without consent.
Using this lawful basis for website analytics also rather implies that you concede that analytics do represent ‘personal data’, so it needs to be used wisely.
I’ll repeat my previous disclaimer: this is not legal advice, and you need to make your own informed decision about how you handle these cookies.
Social Media Marketing
The use of social media marketing, most commonly Facebook targeted advertising, represents a somewhat complex situation from a privacy perspective.
As part of this obligation, the Facebook advertising Terms of Service for advertisers includes a requirement that all advertisers display a ‘clear and prominent notice’ about the use of the cookies and other technologies that are required for such advertising.
So, any website that uses the Facebook (or similar) pixel to allow the profiling of web visitors (e.g. for the purposes of targeted marketing campaigns) requires the consent of the individual for the placement of the cookies that are associated with that functionality.
In the past, this consent could be based upon the ‘implied consent’ model but, as we have seen, such implied consent will no longer be valid under the GDPR.
As a result, if you plan to continue to use social media marketing, including the Facebook pixel for targeted ads, you will need to ensure that your website meets this consent requirement.
You cannot load the pixel code that generates the cookies until the individual has provided a clear, affirmative action confirming their consent. Very few websites are currently configured to work in this way, so this will likely require your attention.
These types of cookies, especially when they are generated by a software plugin, can be a little more complex to deal with from a privacy perspective – because it may be necessary to adjust the code that delivers those cookies to ensure that they are only set when an individual has given their consent.
Whether this is possible or not will depend on the exact nature of the cookie itself, and it is therefore likely that you will need to speak with whoever looks after your site.