05 Feb 2019 | 1:18 pm | 4 min. read
EU law says that organisations using cookies on their websites, which is almost all organisations, must inform users about cookies and obtain their consent for using them. What does that mean in practice?
The EU's E-Privacy Directive of 2002 required that website visitors be given certain information about cookies. From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies.
In the UK the laws that give effect to the EU legislation are the Privacy and Electronic Communications (EC Directive) 2003 as amended by the Regulation of 2011 (PECR).
When EU cookies law changes were implemented in 2011 there was some confusion about how websites should seek and get cookie consent. Most sites used a notice for first-time visitors which sought to obtain consent and assumed consent if someone continued to use the site without expressing a preference.
From 25 May 2018 the General Data Protection Regulation (2018 Act) came into force. It says that consent for data processing has to be given by users through a "clear affirmative action" and it must be freely given, specific, informed and unambiguous. It is harder to satisfy these consent requirements and means that the user should be given a real choice about which cookies, other than strictly necessary cookies, are used when they browse the website.
Obtaining users' consent to the placing of a cookie is technically more difficult. The ICO guidance suggests a number of different ways to obtain consent. This guidance has yet to be updated by the ICO so the suggestions below are a starting point, as any mechanism used will also need to satisfy the requirements of consent under the 2018 Act:
- pop ups or similar techniques asking for consent can be used. Pop ups are discouraged by Web Content Accessibility Guidelines. They may also spoil the experience of using a website. Users can also block pop ups by default, making this impractical;
- preferences that users choose when visiting a site can also be used as a means of obtaining consent. Consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work, provided sufficient information about the use of the cookies is provided. This would apply to any feature where a user is told that a site can remember certain settings they have chosen;
- website features, such as videos, that remember how users personalise their interaction can also determine user consent. In this case, where the user is taking some action to tell the webpage what they want to happen - opening a link, clicking a button or agreeing to the functionality being 'switched on' - then their consent to set a cookie can be asked at this point;
- where a site allows a third party to set cookies the process of getting consent is more difficult. Initiatives that seek to ensure that users are given more and better information about the use of information, for example the use of the "i" symbol, referred to below, should be used. Anyone whose site uses or allows third party cookies must ensure that the right information is delivered to users so they can make informed choices.
All of the above mechanisms are used to varying degrees of success across websites. Whichever method you choose, cookies should not drop until the user takes some form of positive action on the website.
To try to satisfy the new consent requirements under the 2018 Act, a number of companies have developed cookie tools and privacy management software which allow an individual to set their cookies preferences by enabling them, for example, to reject the use of analytical, marketing or advertising cookies. Such tools are also a mechanism through which the website owner can seek to obtain and record the individuals' consent so that they can evidence such consent at a later date. These tools also allow an individual to change their preferences. This is important as an individual has the right to withdraw their consent as easily as they have given it. As such tools and software are relatively new to the market they have not as yet been given any regulatory or supervisory authority approval.
Very few sites do this as it could place them at a competitive disadvantage to competitors and sites outside the EU. A non-cookie site may lose revenues from advertising meaning that it is not cost effective to run such a site, and the site would not be able to measure traffic or learn about its users via tools such as Google Analytics, which is cookie-dependent.
Website owners/businesses should consider what would work for them by looking at their business and how they use their website.