Many online business owners do not know the importance of cookies when providing their goods/services via their online platform. Cookies are small pieces of plain text information stored by the software on a user device which helps identify the user and the browser in between website visits. This includes information such as tracking a user’s browsing behaviour and remembering what a user puts into their online shopping basket when buying goods online for example.
Cookies serve a wide range of purposes for businesses, all of which can be divided into “essential” cookies and “non-essential” cookies. An essential cookie, as indicated by its name, is necessary in order for a website to be able to function and cannot be disabled. Essential cookies do not, therefore, require consent from the user. All other cookies are deemed non-essential (for example, analytics cookies to count the number of times a user visits a website) and require consent from the user.
The UK Data Protection Authority, the Information Commissioner’s Office (ICO), issued new guidance in July 2019 in relation to the use of cookies. It explains that, under rules on the use of cookies covered by the Privacy and Electronic Communication Regulations (PECR), if you use cookies, you must a) explain what cookies will be set, b) what the cookies will do, and c) obtain consent to store cookies on devices.
There is no definition of consent provided in PECR and the definition of consent under the General Data Protection Regulations (GDPR) will apply. The guidance states that organisations should look at PECR first to ensure that the requirements are being met before looking to the GDPR for the standard of consent. In relation to cookies, this means making sure it is clear to website users how they can indicate that they have consented to the use of non-essential cookies. A website operator should also be transparent by clearly informing users about which cookies are being used and what they do before the user provides consent. The operator should also make it clear who any third parties are if third party cookies are being used and what they will do with the information, not use pre-ticked boxes such as automatic “on” sliders for non-essential cookies which users have to turn off, and give users control over any such non-essential cookies.
The ICO in its guidance has indicated that a full cookie wall which requires users to agree to the setting of cookies before accessing online content is inappropriate in some circumstances because it does not appear that consent has been freely given in accordance with the GDPR.
Practical Note
Businesses and organisations operating online will need to review their existing cookie policies and ensure that their online platform allows users to provide freely given and valid consent to the use of cookies before accessing any user’s content in accordance with the guidelines.
It is important, therefore, as an online business owner, to:
give consideration to existing mechanism(s) in place for obtaining consent for non-essential cookies,
have your existing cookie policy reviewed and amended to take into account the ICO’s recent guidelines,
ensure clear consent is being obtained again if introducing / changing cookies and making sure users are made aware of such changes.
Should you require further assistance in relation to the use of cookies, please contact Layton’s IP & Technology team.