Even huge multi-nationals with large privacy teams struggle with the European rules around cookies for SMEs, it’s a veritable minefield. There are so many questions to contend with: do you need a pop-up, how should it look, what precisely do you need opt-in consent for? it’s far from straightforward.
Looking through examples on the internet can make it even more confusing for SMEs since there are so many different versions and approaches being used. Whilst it might be tempting to simply copy what you see elsewhere; many just arent compliant.
Beware the regulators…
Regulators will be clamping down in this area, so it is important for you to know what changes have come about and the practical steps you need to take in order to avoid enforcement action.
What’s changed?
The UK Information Commissioner’s Office (ICO) published its updated?guidance on cookies in July 2019 and many other data protection authorities across Europe have been doing the same.
The guidance isnt really that surprising to privacy practitioners. The laws on cookies have actually been in place since 2002 and GDPR, which also applies given cookies involve the processing of personal data, has been in force for over a year.
You then need consent for the use of all non-essential cookies. This consent must be obtained beforethe cookies are installed. Similarly, there also needs to be a clear ability to reject the cookies and turn them off later.
However, because there hadnt been specific guidance on what the regulators expected from companies and because the old cookie laws have been under review recently, many companies had taken a wait and see? approach rather than making significant changes to their cookie strategy and approach.
What’re the rules?
Such an approach is now far riskier, as the regulator has made its position very clear.
These rules apply now, and whilst some countries have given companies a transition period to comply with their new guidance (notably, France), the UK hasn’t since it views the guidance really as just clarifying what the law has been for some time.
What do I need to do? Don’t get muddled, get ‘cookie’ smart!
There are several components to compliance. First, you need to tell people you are using cookies, the types and purposes. The common way of doing this is to have a pop-up saying cookies are being used and linking to a cookie policy or privacy policy where the relevant information is included.
You then need consent for the use of all non-essential cookies. This consent must be obtained beforethe cookies are installed. Similarly, there also needs to be a clear ability to reject the cookies and turn them off later.
Elle is a partner at Reed Smith's London base. She is widely recognised as a leading practitioner in digital and data law.
Her clients range from the biggest international household names to disrupters and tech entrepreneurs. She has a deep knowledge of the consumer brands, ecommerce, technology and media sectors in particular, helping clients to navigate compliance and commercial issues in order to innovate and succeed.
Even huge multi-nationals with large privacy teams struggle with the European rules around cookies for SMEs, it’s a veritable minefield. There are so many questions to contend with: do you need a pop-up, how should it look, what precisely do you need opt-in consent for? it’s far from straightforward.
Looking through examples on the internet can make it even more confusing for SMEs since there are so many different versions and approaches being used. Whilst it might be tempting to simply copy what you see elsewhere; many just arent compliant.
Don’t get muddled, get ‘cookie’ smart!
