Since the General Data Protection Regulation (GDPR) came into effect last year, there has been a lot of questions surrounding cookies. Last week the Information Commissioner Office (ICO), which is the UK Data Protection Authority, published its long-awaited cookie guidelines.
Here is a summary of what the ICO has published, but please take the time to read the guidelines yourself to get a full understanding.
What is a cookie?
A cookie is a small text file that is downloaded onto a device when the user accesses a website/app. It allows the site to recognise that user’s device and store information about the user’s preferences or past actions.
How are cookies used?
Cookies can be used in numerous ways, such as:
- remembering what’s in a shopping basket
- supporting users to log in to a website
- analysing traffic to a website
- tracking users’ browsing behaviour
What do we need to do to comply?
Implied consent is no longer acceptable.
The basic rule is that you must:
- Tell people the cookies are there
- Clearly explain what the cookies are doing and why
- Explain what third-party cookies are in use and why
- Detail the duration of the cookies you use (are they session or persistent cookies)
- Get the person’s active and clear consent to store a cookie on their device.
There is an exception for cookies that are essential to provide an online service at someone’s request (like remembering what’s in their online basket or ensuring security for online banking).
Cookies for analytics and social media plugins do not fall within the ‘strictly necessary’ exemption. Therefore you will need to tell people about these cookies and gain consent for their use.
What are Session and Persistent cookies?
Cookies that expire at the end of a browser session (normally when a user exits their browser) are called session cookies. They allow sites to recognise and link the actions of a user during a browsing session.
Persistent cookies are stored on a user’s device in-between sessions. They can allow the preferences or actions of the user across a site to be remembered.
What are first-party and third-party cookies?
First-party cookies are set directly by the website the user is visiting.
Third-party cookies are set by a domain other than the one the user is visiting. This typically occurs when the website incorporates elements from other sites such as images, social media plugins or advertising.
What counts as consent?
Similarly to GDPR, consent must be freely given, specific and informed.
It must involve some form of unambiguous positive action like ticking a box or clicking a link. The person must fully understand that they are giving you consent.
Pre-ticked boxes cannot be used for non-essential cookies and they must not be set on landing pages before you gain the user’s consent. Users should have the option to enable or disable non-essential cookies, and you should make this easy to do.
Using a blanket approach of blocking content for users such as using a cookie wall should also be avoided as it is not considered freely given consent. A cookie wall requires users to accept the setting of cookies before they can access an online service’s content. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is also not valid consent.
That depends what you’ve installed but the likelihood is yes, it does.
You should check your theme and plugins for cookies. Do you personalise content, display ads or embed YouTube videos? Are you tracking stats or using Google Analytics? Do you use social media features on your site? Do you use a content delivery network (CDN)?
I’ll update this post with cookie consent options as they get updated for these guidelines. I believe iubenda may have the best solution at the moment.
If you’re looking for a good example, the ICO have updated their cookie consent mechanism to provide information and collect consent. It is a side-banner that includes a checkbox which is off by default for third-party cookies from Google Analytics. When you close the banner, there is a permanent icon in the bottom corner so cookie controls are always accessible.