Do I need one of those awful cookie popups?

In this article, we’ll look at:

  • Why your website might be using Cookies whether you know it or not
  • How the GDPR has made things complicated
  • Whether you need Cookie Control on your site

Learn more

We’ve all got used to seeing pop-up boxes on websites, notifying visitors about the use of cookies on the site.

You should already have seen ours, but you can take another look here if you’re the masochistic type.

If you’ve been following our series of articles on the implementation of the EU General Data Protection Regulation, you may be rightly asking yourself what impact the GDPR will have on the use of website cookies, and what you need to do to make your small business website compliant.

Well, the truth is that it’s complicated – and in this article, I’ll go onto explain why and, more importantly, what actions you need to take if you operate a website that uses cookies.

We’re going to look at:

  • Why your website might use cookies;
  • Why the new regulation makes the use of cookies particularly confusing;
  • Recommendations for how to approach the use of cookies post-GDPR.
A heads-up: By the end of this article, I will have explained why, for some simple websites it may be completely legitimate not to display any form of cookie warning at all – but that will likely be the exception rather than the rule. You will need to make an informed decision relating to your own website, based on your use of Google Analytics, e-commerce, social media tracking and other cookie-dropping functionality.

Why cookies are important to website owners

If you’re not sure what cookies are, there’s plenty of good content online to get you up to speed, so I’m not going to address that here. You can’t go far wrong with Wikipedia’s article as a starting point.

Suffice to say, it would the exception rather than the rule, for a website not to use any cookies at all – so if you run a small business website (or pretty much any other type for that matter), you want to give this some thought.

Let’s quickly look at some typical uses of cookies so that you’ve got some context on the type of functionality that they enable:

  • E-commerce websites that use a ‘cart’ or ‘basket’ to remember items that the customer wants to buy will use cookies;
  • Any form of personalisation of the website (such as the preferred language) are bound to use cookies to remember the user’s choice;
  • Statistical analytics (such as Google Analytics) will use cookies as the fundamental means of being able to tell one user from another;
  • Social media marketing (such as targeted Facebook advertising) rely on the placement of cookies to work;
  • Content Management Systems, such as WordPress, use a selection of cookies to manage user logins, blog commenting and more.

It’s therefore pretty clear why we need to get a grip on using cookies in a compliant manner – without them, we would lose a number of significant tools.

Why cookies have suddenly got more complicated

The GDPR was never meant to be the be-all and end-all of privacy law – it was always meant to be introduced at the same time as a separate piece of legislation, the Regulation on Privacy and Electronic Communications (or more commonly, the ePrivacy Regulation). Both new regulations were due to replace existing law*.

Whilst the GDPR provides a broad framework of regulation covering a wide range of scenarios, the ePrivacy Regulation was intended to address the specific detail of the regulation of electronic communications, which includes Cookies. The GDPR says virtually nothing about cookies specifically.

You can probably sense that there is a ‘but’ coming.

But – the problem is that the ePrivacy Regulation is not going to be ready in time to coincide with the GDPR, and the GDPR is going ahead anyway – so we’re left in a slightly bizarre limbo situation:

  • The GDPR comes into force on 25th May 2018;
  • The ePrivacy Regulation is unlikely now to come into force until 2019;
  • That means that the existing ePrivacy Directive, which was due to be replaced, is still in force;
  • We do know what the current draft of the ePrivacy Regulation says – so, subject to any changes, we’ve got a reasonable idea what it’s going to say;
  • But as things stand, we’ll be in a situation where we’re trying to comply with two pieces of legislation that were never really designed to work together, and which – in some ways – conflict with each other.

Marvelous.

The specific issue with cookies

So that leads us to our specific issue in relation in cookies.

Under the GDPR, most cookies are going to fall into the category of ‘personal data’ because they are capable of identifying an individual and can be used to provide website personalization and even profiling of individuals.

As a result, you are going to need a legal basis for processing the data contained within those cookies – and that legal basis is most likely going to be the CONSENT of the individual.

Under the previous rules, the idea of ‘implied consent’ was ok.

It is implied consent that makes it acceptable to say something like ‘This website uses cookies. By using the site you are agreeing to the use of cookies’. The principle was that as long as you told people about the use of cookies, it was ok to use them, regardless of whether they really agreed or not.

The GDPR mandates that implied consent is no longer valid.

Instead, consent must be explicit and indicated by an ‘affirmative action’ on the part of the individual. Therefore for consent to be valid, you have to give the individual the choice of whether to consent, before any cookies are used.

This creates two immediate problems if you want to use cookies that require consent:

  1. Website development: Your website must be developed in such a way that no such cookies are used when the person first lands on the page. The cookies can only be set when they have ticked an ‘I consent’ box or something similar. Technically, this can be quite complex, and it is likely to result in a less-than-ideal user experience when they visit your site;
  2. Where’s the incentive?: There is generally very little perceived incentive for the individual to actually consent. Let’s be honest, often enough the reason you want to use cookies is for your benefit (e.g. analytics, social media marketing), and not the individual’s.

It’s not hard to imagine a scenario where we’re all forced to make (potentially complex) changes to our websites that force visitors to make decisions about whether to allow cookies or not before they even get to see our precious, carefully designed homepages.

And then, given that we’re likely to want to use cookies to enable website analytics or social media marketing, the effectiveness of those things will be hugely undermined by the fact that by default, they won’t work! They will only kick in if somebody goes out of their way to check the consent box(es).

Is consent necessary?

So far in this article, I’ve already made specific references to ‘cookies that require consent’.

I’ve done that because you should not assume that all cookies DO require consent.

Firstly, as you may have seen in our article on the lawful grounds for processing data, there are 6 different grounds on which processing of personal data can be seen as lawful. Only one of those relates to consent.

It is therefore possible, under the GDPR at least, to use cookies on your website without consent, providing you have another lawful basis for doing so or you can argue that the cookies do not represent personal data.

In addition to that, the draft ePrivacy Regulation (which at the moment can only give us a suggestion of what the finalised regulation might contain) includes a number of pragmatic rules that declare that certain ‘non-privacy-invasive’ cookies (such as Analytics) will not require user consent. That’s good news, but right now we need to deal with the law as it is, not as it will potentially be.

So, in this limbo period that I’ve referred to, the situation would appear to be this if you want to be compliant:

  • You need to determine exactly what cookies are in use on your website – this is going to be essential in any event;
  • You’ll need to determine whether any of those cookies require individuals’ prior consent before they’re used, or whether there is a different lawful basis for using them;
  • If any of the cookies in use on your site do require consent, then you will either need to:
    • Adjust your website so that they are no longer used; or
    • Add some form of cookie control functionality to your website to ensure that the cookies are only set in the event of the user actively consenting.

Both of these actions will involve some sort of technical development, so unless you’re into that sort of thing yourself, you’re going to need to speak to whoever looks after your site.

We’re going to move on to address some of the more commonly used types of cookies, with a proposed approach to each.

E-commerce carts and baskets

In previous legislation, including the existing ePrivacy Directive, there is an exemption to the requirement to gain consent for cookies that are ‘strictly necessary’ for the purpose of fulfilling the user’s request.

Cookies are essential to provide this type of functionality, and therefore their use is seen as legitimate under the prevailing ePrivacy Directive. There is no reason to believe that that will change under the ePrivacy Regulation.

From a GDPR perspective, we would also suggest that the use of such cookies is legitimate as part of fulfilling a contract to which the individual is party. This is an additional lawful basis for processing the data (Article 6(1)(b)).

Therefore, cookies used for this purpose shouldn’t cause you any additional concern. That said, you should still highlight the use of such cookies in your Privacy Policy, even if you’re not relying on consent.

Website Analytics

The use of website analytics, and Google Analytics in particular, is the category of cookies that will arguably affect the largest proportion of small business websites.

We get a hint from the draft ePrivacy Regulation that analytics will be considered as ‘non-privacy-invasive’ cookies that will not require consent, which would be good news.

In the meantime, we will require a different approach under the GDPR. In my opinion, and it is just an opinion, is that there are two alternative approaches to use under the GDPR:

‘Not personal data’

If implemented properly, it is arguable that Analytics Cookies are not ‘personal data’ in the first place, and therefore none of the requirements of the GDPR apply, and consent is therefore not required.

For this to be a valid argument, it is important to ensure that:

  • You do not, intentionally or inadvertently, send any data to Google Analytics that allows the identification of an individual. Not only would this be a privacy issue, it is also a breach of the Google Analytics Terms of Service. The most common situation in which this occurs is when personal data is included dynamically within a page URL
  • Your Google Analytics tracking code includes the optional ‘optimizeIp’ declaration, which has the effect of partially obscuring the user’s IP address.

These are both clearly technical configuration issues – if they don’t mean anything to you, you will need to discuss them with whoever looks after your analytics.

Legitimate interests under the GDPR

As an alternative to the approach above, it is arguable that it is ‘in the legitimate interest of the data controller’ to use analytics to understand the usage and functionality of the website.

‘Legitimate interest’ is an additional lawful basis for processing personal data. Providing that you are prepared to stand by that argument, and that you document this lawful basis within your privacy policy, it is arguably acceptable to set analytics cookies without needing to seek the individual’s consent at all.

You should note that the ‘legitimate interest’ argument will always need to be used with caution. The regulation requires that such an interest must be balanced against the overriding interest of the individual in having control over their personal data, and needs to take account of matters such as what the individual might reasonably expect, given their relationship with you.

Long story short, if you plan to use the ‘legitimate interest’ lawful basis for processing any type of data, you need to understand the detail of the GDPR regulation that covers it (Article 6(1)(f), and associated recitals). In particular, it’s important to be able to demonstrate that you have carried out a Legitimate Interest Analysis, a more formal method of showing how you have come to the conclusion that it is indeed legitimate to process this data without consent.

Using this lawful basis for website analytics also rather implies that you concede that analytics do represent ‘personal data’, so it needs to be used wisely.

Analytics summary: for most standard implementations of Google Analytics, it is my opinion that there is a good argument that there are no privacy issues concerned – i.e. no personally-identifiable data is being processed as a result of using the analytics cookies. If you accept that argument, then it follows that it is not necessary to show any lawful basis for setting those cookies. Don’t forget, though, there is no denying that cookies are being used, so you would still need to declare those cookies in your privacy policy.

I’ll repeat my previous disclaimer: this is not legal advice, and you need to make your own informed decision about how you handle these cookies.

Social Media Marketing

The use of social media marketing, most commonly Facebook targeted advertising, represents a somewhat complex situation from a privacy perspective.

The majority of the data collection and processing happens on the Facebook platform, and Facebook is Data Controller for the majority of such services. Therefore Facebook has significant GDPR obligations, including making their own terms and privacy policy GDPR compliant.

As part of this obligation, the Facebook advertising Terms of Service for advertisers includes a requirement that all advertisers display a ‘clear and prominent notice’ about the use of the cookies and other technologies that are required for such advertising.

So, any website that uses the Facebook (or similar) pixel to allow the profiling of web visitors (e.g. for the purposes of targeted marketing campaigns) requires the consent of the individual for the placement of the cookies that are associated with that functionality.

In the past, this consent could be based upon the ‘implied consent’ model but, as we have seen, such implied consent will no longer be valid under the GDPR.

As a result, if you plan to continue to use social media marketing, including the Facebook pixel for targeted ads, you will need to ensure that your website meets this consent requirement.

You cannot load the pixel code that generates the cookies until the individual has provided a clear, affirmative action confirming their consent. Very few websites are currently configured to work in this way, so this will likely require your attention.

Functionality-based cookies

It is common, especially for sites based on a CMS like WordPress, to use cookies to provide particular types of functionality – for example, on a multi-lingual site, it is likely that a cookie will be used to store the user’s language preference. Or, on a site that uses popup windows, a cookie might be used to track that a user has already seen the popup, and prevent if firing repeatedly.

These types of cookies, especially when they are generated by a software plugin, can be a little more complex to deal with from a privacy perspective – because it may be necessary to adjust the code that delivers those cookies to ensure that they are only set when an individual has given their consent.

Whether this is possible or not will depend on the exact nature of the cookie itself, and it is therefore likely that you will need to speak with whoever looks after your site.

Summary

As you can no doubt tell, getting the cookie control and privacy policy right is likely to be a challenge for many small business websites.

In my opinion, there will be plenty of simple websites out there that, if managed properly, will not need any specific cookie control functionality or annoying cookie warnings.

The wisest approach is:

  • to thoroughly audit your site so that you definitely understand what cookies are in use;
  • challenge yourself whether those cookies are really necessary, and remove any cookie-dropping functionality that you don’t really need – after all, data minimisation is always going to be your best bet here;
  • make sure you have a good justification (documented in your privacy policy) for the use of any cookies for which you say you don’t need consent;
  • speak to whoever looks after your website to work out your options for blocking any remaining cookies that do need prior consent.

And if it feels like a pain in the arse, that’s because it is.

I’ll repeat my disclaimer from the beginning of this series of articles – the responsibility for data privacy within your business is ultimately with you, the data controller. The information provided here is an attempt to help people short-cut what can be a daunting task – but none of it should be considered to be legal advice.

You can contact me via here if you have any data privacy needs relating to your website, or for specific legal advice relating to your particular business, I would always recommending speaking to a specialist legal professional.

In case you’ve missed any of our previous articles, you can check them out here:

Share This

Share This

Found this article useful? Share it on Facebook :-)