How to comply with cookie law

Out-Law Guide | 05 Feb 2019 | 1:18 pm | 4 min. read

EU law says that organisations using cookies on their websites, which is almost all organisations, must inform users about cookies and obtain their consent for using them. What does that mean in practice?

This guide was last updated in January 2019. It previously appeared on the AboutCookies.org site, which like Out-Law.com was run by Pinsent Masons.

 

This is part of Out-Law's guide to cookies. EU law requires website operators to obtain consent to the use of cookies, other than those that are strictly necessary cookies, and provide users with information about how to manage and delete cookies.

We provide that here and many organisations link to our guidance rather than increase already-lengthy privacy policies. You can too, there is no charge for this and you don't need our specific permission. We used to provide this at AboutCookies.org, but now provide it here instead.


The EU's E-Privacy Directive of 2002 required that website visitors be given certain information about cookies. From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies.

In the UK the laws that give effect to the EU legislation are the Privacy and Electronic Communications (EC Directive) 2003 as amended by the Regulation of 2011 (PECR).

When EU cookies law changes were implemented in 2011 there was some confusion about how websites should seek and get cookie consent. Most sites used a notice for first-time visitors which sought to obtain consent and assumed consent if someone continued to use the site without expressing a preference.

From 25 May 2018 the General Data Protection Regulation (2018 Act) came into force. It says that consent for data processing has to be given by users through a "clear affirmative action" and it must be freely given, specific, informed and unambiguous. It is harder to satisfy these consent requirements and means that the user should be given a real choice about which cookies, other than strictly necessary cookies, are used when they browse the website.

In addition to fulfilling the consent requirements information should be provided to the user in a privacy policy, a data protection notice, or both. The privacy policy or notice if used properly can meet the information provision requirements of both PECR and the 2018 Act. For further information on implementing a privacy policy or data protection notice online see Out-Law's guide to data protection.

Obtaining users' consent to the placing of a cookie is technically more difficult. The ICO guidance suggests a number of different ways to obtain consent. This guidance has yet to be updated by the ICO so the suggestions below are a starting point, as any mechanism used will also need to satisfy the requirements of consent under the 2018 Act:

  • pop ups or similar techniques asking for consent can be used. Pop ups are discouraged by Web Content Accessibility Guidelines. They may also spoil the experience of using a website. Users can also block pop ups by default, making this impractical;
  • preferences that users choose when visiting a site can also be used as a means of obtaining consent. Consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work, provided sufficient information about the use of the cookies is provided. This would apply to any feature where a user is told that a site can remember certain settings they have chosen;
  • website features, such as videos, that remember how users personalise their interaction can also determine user consent. In this case, where the user is taking some action to tell the webpage what they want to happen - opening a link, clicking a button or agreeing to the functionality being 'switched on' - then their consent to set a cookie can be asked at this point;
  • for use of analytic cookies to gather information about how people access and use a site it may be possible to add a footer or header to a webpage containing text. This text is highlighted or turned into a scrolling piece of text when a site wants to set a cookie on a user's device. In turn this could direct the user to read additional information, possibly contained in a privacy policy, and make an appropriate choice;
  • where a site allows a third party to set cookies the process of getting consent is more difficult. Initiatives that seek to ensure that users are given more and better information about the use of information, for example the use of the "i" symbol, referred to below, should be used. Anyone whose site uses or allows third party cookies must ensure that the right information is delivered to users so they can make informed choices.

All of the above mechanisms are used to varying degrees of success across websites. Whichever method you choose, cookies should not drop until the user takes some form of positive action on the website.

To try to satisfy the new consent requirements under the 2018 Act, a number of companies have developed cookie tools and privacy management software which allow an individual to set their cookies preferences by enabling them, for example, to reject the use of analytical, marketing or advertising cookies. Such tools are also a mechanism through which the website owner can seek to obtain and record the individuals' consent so that they can evidence such consent at a later date. These tools also allow an individual to change their preferences. This is important as an individual has the right to withdraw their consent as easily as they have given it. As such tools and software are relatively new to the market they have not as yet been given any regulatory or supervisory authority approval.

As an alternative businesses may wish to consider using a non-cookie site. A simple brochure-style site with no way to login and no e-commerce functionality may not use cookies, meaning that the new law will not affect the site.

Very few sites do this as it could place them at a competitive disadvantage to competitors and sites outside the EU. A non-cookie site may lose revenues from advertising meaning that it is not cost effective to run such a site, and the site would not be able to measure traffic or learn about its users via tools such as Google Analytics, which is cookie-dependent.

Website owners/businesses should consider what would work for them by looking at their business and how they use their website.