How Compliant are your Cookies?

October 28, 2019

If you’re reading this, chances are you have a website. And if you have a website, it most likely uses cookies.

Perhaps not many, but they will be there, lurking in the background. But do you know how to find out what they are, what they do and what that means for your site visitors? Before you start delving into the back end of your site, read on – we can probably save you a great deal of time and grief!

Remember the arrival of the GDPR directives in May 2018? They signalled a huge change in the way consumer data was collected and used. By law, companies had to amend their data collection and storage policies. This led to a massive shift in opt-in practice as well as clear, visible and transparent privacy policies and cookie consent.

It was no longer permissible for websites to have pre-ticked boxes giving consent for data to be used or details added to mailing lists. If users wanted to be included on a mailing list, they had to actively tick a consent box. In the words of the GDPR, consent had to be a ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. That definitely doesn’t include pre-ticked boxes.

But what about cookies? Websites everywhere suddenly had pop-up cookie notices appearing every time a site was visited. A quick click of an ‘OK’ button after a message along the lines of ‘by continuing to use this site, you consent to the use of cookies’  - soft opt-in - and everyone thought they were GDPR-compliant. The visitor was, after all, given the option to not continue or to manually disable cookies.  

However, a year-long case in The Court of Justice of the European Union has ruled that pre-ticked or pre-filled boxes relating to cookie consent do not meet the GDPR rules and are therefore unlawful. It goes back to having to take physical action and unambiguously give consent through an affirmative act in order to opt-in. To consent to cookies being used, the user must undertake an affirmative action and not simply click a pre-populated box. They must also be told how long cookies are stored for and which, if any, third parties have access to the cookies – think Google Analytics, for example. Still with us?

What does this mean for websites?
  • Active and specific consent must be obtained from the user. Soft opt-ins, as shown above, may not be enough.
  • Amend cookie policies to indicate the lifetime of the cookies.
  • Amend cookies policies to let the user know about the third parties having access to cookie information – and to identify each third party individually.

So, what do we recommend you do?

First and foremost, you need to take a look at your cookie consent. UK websites should already be following the opt-in consent rules for cookies, but this recent ruling might result in more checks being made and fines being levied. For an easy and time-saving way to find out what’s on your site and what actions you need to take, call Target Ink on 01892 800400, email info@targetink.co.uk or visit us at https://www.targetink.co.uk/ We can quickly take a look at yours and make sure you are cookie compliant.

[And if you want to read more about the case that resulted in this cookie chaos, it was Bundesverband der Verbraucherzentralen und Verbraucherverbände Verbraucherzentrale Bundesverband eV v Planet49 GmbH. Happy reading!]