GDPR & Cookies

A cartoon depicting a large blob character shouting 'WE USE COOKIES!!!' at a small, shocked-looking blob character

Imagine you’ve just walked into a sweet shop. You approach the first shelf and begin to excitedly peruse the treats on offer…

Just as your starting to wonder why Lucky Charms are so expensive these days, you suddenly feel the warm breath of a shop assistant on the back of your neck.

“What’s going on?!” You say.

“Is it ok if we monitor your shopping activities in our store today sir/madam?”

Whatever your response would be to this, I’m going to assume it wouldn’t be delivered with a smile(!). Had they asked for your consent before they started monitoring you, things would have been much better.

This is exactly the change the web is going through right now. Visitors landing on your website need to consent to cookies before one is actually set, and as of May 2018, the ICO will begin to police the new law.

Our mission is to ensure that we help our clients gain compliance, without compromising the user experience of their website as a result…

What is a cookie?

In computing, the term cookie is used to descibe a small amount of data that is set by a website on a visitors device. Most of the time it will be storing a unique code in order to recognise your device on subsequent page loads and visits.

I’ve never been a big fan of the term “cookie” myself. For me, it doesn’t do what it says on the tin. However, that is set to change as all websites setting cookies must now declare so. This means that awareness of what cookies are should (hopefully) become common knowledge amongst society.

Does my website use cookies?

In the majority of cases, yes. Even the simplest of websites normally have a tracking script running (such as Google Analytics) on them, and these will make use of cookies.

Many websites are also dependant on cookies for functionality. For example, eCommerce websites use them to remember the contents of your shopping cart.

So, what needs to be done?

In order to gain compliance, the following plan of action is recommended:

1. Complete a cookie audit. In the first instance, identify and outline the details of each cookie such as:

  • What the cookie is
  • Where is comes from (first party, third party etc.)
  • Whether it is persistent (remains present when returning to the website later on)
  • Why it is used
  • What happens if consent isn’t given
  • How invasive the cookie is for the user
  • How long the cookie is set for

2. Write a cookie policy. All of the details above need to be documented in your cookie policy and displayed on your website in an easy-to-find (not hidden) place.

3. Implement a cookie consent message. If your site uses cookies, then you must display a message asking visitors to give you their consent for setting them. Once again, this needs to be displayed in an easy-to-find (not hidden) place.

The Techy Stuff

By default, most cookies are normally set on the first page load of a website. Now that the law has changed, this is not allowed and the cookie can only be set once a visitor has given their consent.

In some cases, consent can be implied. For example “This website used cookies to track the number of visits to our website, by continuing to navigate this website you consent to us storing a cookie on your device.” The cookie can then be set on the subsequent visitor action (such as clicking to another page).

In this instance, it is certainly worth quoting directly from the ICO’s own guidelines:

“Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices. While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.

Withdrawing cookie consent must be also be made possible, perhaps by implementing a button on the cookie policy page that will delete the existing cookies and prevent a subsequent one being set.

Design Considerations

In terms of design, cookie consent messages and policies are often seen as a “bolt on”. They aren’t part of the original design. Moving forward this has to change, we need to think about cookie consent throughout our user journey and make it a part of wireframes and draft designs right from the start of a project.

For existing websites, each one needs to be looked at individually to ensure compliance is acheived. The User Experience must not compromised by blindly copy and pasting the exact same cookie function onto every website.

Yes, it is good to reuse code (and we will), however the style, tone of voice, and context of each website will be different.

Why can’t something be done at a browser level?

In an ideal world, it would be great if the browsers (such as Google Chrome, and Microsoft Edge) informed us about cookies in a consistent way as we clicked through different websites.

According to the cookie guidelines, the ICO are in discussions with browser vendors about this. However, a solution is not available yet, and even when it is there will still be many visitors using older versions of web browsers. So the for the forseeable future, we must continue to display cookie messages to users and gain their consent.

It is also worth noting that users can (and have always been able to) block cookies using the advanced settings within the browser.

How can we get started?

If you’d like us to help conduct a cookie audit on your website and recommend a plan of action tailored to your website, please get in touch.