Are you incorrectly getting consent for cookies? The ICO publish cookie guidance for website owners and bloggers

Since the General Data Protection Regulation (GDPR) came into effect last year, there has been a lot of questions surrounding cookies. Last week the Information Commissioner Office (ICO), which is the UK Data Protection Authority, published its long-awaited cookie guidelines.

In relation to cookies, we look to the Privacy and Electronic Communications Regulations (PECR) before GDPR. If you operate an online service such as a website or a mobile app, you need to understand how the PECR apply to your use of cookies.

Here is a summary of what the ICO has published, but please take the time to read the guidelines yourself to get a full understanding.

ICO publish cookie guidelines for website owners

What is a cookie?

A cookie is a small text file that is downloaded onto a device when the user accesses a website/app. It allows the site to recognise that user’s device and store information about the user’s preferences or past actions.

How are cookies used?

Cookies can be used in numerous ways, such as:

  • remembering what’s in a shopping basket
  • supporting users to log in to a website
  • analysing traffic to a website
  • tracking users’ browsing behaviour

What do we need to do to comply?

Implied consent is no longer acceptable. 

You do not have to ask for consent every time the same person visits your site, but keep in mind that the same device may be used by multiple people so you may need to periodically check for consent. If your use of cookies changes over time, you may need to obtain fresh consent.

The basic rule is that you must:

  • Tell people the cookies are there
  • Clearly explain what the cookies are doing and why
  • Explain what third-party cookies are in use and why
  • Detail the duration of the cookies you use (are they session or persistent cookies)
  • Get the person’s active and clear consent to store a cookie on their device.

You should provide detailed information about the cookies that you use, you can create a Cookie Policy or add it to your Privacy Policy. This should be linked to from the cookie consent mechanism and also in the footer of your website.

There is an exception for cookies that are essential to provide an online service at someone’s request (like remembering what’s in their online basket or ensuring security for online banking).

Cookies for analytics and social media plugins do not fall within the ‘strictly necessary’ exemption. Therefore you will need to tell people about these cookies and gain consent for their use.

What are Session and Persistent cookies?

Cookies that expire at the end of a browser session (normally when a user exits their browser) are called session cookies. They allow sites to recognise and link the actions of a user during a browsing session. 

Persistent cookies are stored on a user’s device in-between sessions. They can allow the preferences or actions of the user across a site to be remembered.

What are first-party and third-party cookies?

First-party cookies are set directly by the website the user is visiting.

Third-party cookies are set by a domain other than the one the user is visiting. This typically occurs when the website incorporates elements from other sites such as images, social media plugins or advertising. 

What counts as consent?

Similarly to GDPR, consent must be freely given, specific and informed. 

It must involve some form of unambiguous positive action like ticking a box or clicking a link. The person must fully understand that they are giving you consent. 

Pre-ticked boxes cannot be used for non-essential cookies and they must not be set on landing pages before you gain the user’s consent. Users should have the option to enable or disable non-essential cookies, and you should make this easy to do.

Using a blanket approach of blocking content for users such as using a cookie wall should also be avoided as it is not considered freely given consent. A cookie wall requires users to accept the setting of cookies before they can access an online service’s content. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is also not valid consent.

Does my WordPress site use cookies?

That depends what you’ve installed but the likelihood is yes, it does.

You should check your theme and plugins for cookies. Do you personalise content, display ads or embed YouTube videos? Are you tracking stats or using Google Analytics? Do you use social media features on your site? Do you use a content delivery network (CDN)?

ICO Cookie Consent Mechanism

I’ll update this post with cookie consent options as they get updated for these guidelines. I believe iubenda may have the best solution at the moment.

If you’re looking for a good example, the ICO have updated their cookie consent mechanism to provide information and collect consent. It is a side-banner that includes a checkbox which is off by default for third-party cookies from Google Analytics. When you close the banner, there is a permanent icon in the bottom corner so cookie controls are always accessible.

More information available from the ICO

Buy me a coffeeBuy me a coffee