Legal

How to contend with new cookie rules

Even huge multi-nationals with large privacy teams struggle with the European rules around cookies – for SMEs, it’s a veritable minefield. There are so many questions to contend with: do you need a pop-up, how should it look, what precisely do you need opt-in consent for? It’s far from straightforward.

Looking through examples on the internet can make it even more confusing for SMEs since there are so many different versions and approaches being used. Whilst it might be tempting to simply copy what you see elsewhere; many just aren’t compliant.

Beware the regulators…

Regulators will be clamping down in this area, so it is important for you to know what changes have come about and the practical steps you need to take in order to avoid enforcement action.

What’s changed?

The UK Information Commissioner’s Office (ICO) published its updated guidance on cookies in July 2019 and many other data protection authorities across Europe have been doing the same.

The guidance isn’t really that surprising to privacy practitioners. The laws on cookies have actually been in place since 2002 and GDPR, which also applies given cookies involve the processing of personal data, has been in force for over a year.

You then need consent for the use of all non-essential cookies. This consent must be obtained before the cookies are installed. Similarly, there also needs to be a clear ability to reject the cookies and turn them off later.

However, because there hadn’t been specific guidance on what the regulators expected from companies and because the old cookie laws have been under review recently, many companies had taken a ‘wait and see’ approach rather than making significant changes to their cookie strategy and approach.

What’re the rules?

Such an approach is now far riskier, as the regulator has made its position very clear.

These rules apply now, and whilst some countries have given companies a transition period to comply with their new guidance (notably, France), the UK hasn’t since it views the guidance really as just clarifying what the law has been for some time.

What do I need to do?

There are several components to compliance. First, you need to tell people you are using cookies, the types and purposes. The common way of doing this is to have a pop-up saying cookies are being used and linking to a cookie policy or privacy policy where the relevant information is included.

You then need consent for the use of all non-essential cookies. This consent must be obtained before the cookies are installed. Similarly, there also needs to be a clear ability to reject the cookies and turn them off later.

Finally, since the cookies involve the processing of personal data, the general obligations under GDPR apply. Most companies need to have in place records of processing – essentially an inventory of the personal data used by that company, purposes, etc.

You will need to obtain consent for the following types of cookies:

• All “non-essential” cookies
• Analytic cookies such as Google Analytics (but if you are using your own non-obtrusive cookies for matters such as basic web measurement, that is low risk)
• Marketing cookies and pixels
• Personalisation cookies. For example, cookies that personalise the content of services whether by making recommendations or tailoring the experience for that user
• Cookies used to track interactions with email communications. For example, if you use cookies to track who is opening e-newsletters

You won’t need to get consent for:

• Essential security cookies
• Essential e-commerce cookies, for example, those that are needed to remember what a shopper had in their basket
• Cookies required to make the transmission of communication possible
• Load balancing cookies
• Intranet cookies

 How to acquire consent

Many SMEs use off the shelf websites where the cookie pop up consent and tools is provided to them. Unfortunately, many of these companies who provide the tools and websites haven’t yet updated them in order to be compliant.

This puts the SMEs who use them at potential risk. If you are in this situation, you may need to deactivate the use of cookies until such time as the tools have been updated. You should certainly be picking up this point and requesting compliant solutions asap.

There is no specific template that you have to use but whatever mechanism you choose it must meet the following criteria:

• There must be a clear affirmative action. Silence or inaction or wording (regularly seen in currently in cookie notices) along the lines that “by continuing to use this site you give your consent”, is not valid
• You can’t use default consent settings such as pre-ticked boxes or sliders set to ‘on’
• You have to give clear information about the cookies (ie what types/purposes) before they give consent
• You have to provide a means to control the cookies – ie turn them off.
• You can’t put in place a cookie wall – ie block users from a site or content until they agree to the cookies
• The consent can’t ‘nudge’ the individual towards a particular option – ie emphasising the accept over the reject
• Just putting a link to ‘more information’ or ‘settings’ where opt-outs or rejections is explained is not sufficient

Sign up to our newsletter to get the latest from Business Advice.