More UK companies to be targeted for non-compliant cookies

February 2024

How to get to grips with your cookies and similar technologies

If you haven’t done it already, now’s the time to get your cookies in order!

Following warnings issued to companies operating some of the UK’s most popular websites in November last year, the ICO says more warning letters will be issued to others for non-compliant cookies.

53 of the UK’s top websites receives letters warning them they faced ICO enforcement action if they did not make changes in relation to their advertising cookies.

The ICO says as a result 38 have changed their cookie banners to be compliant, 4 have committed to reach a compliant position soon, and several others are working to develop alternative solutions.

The regulator says; “We will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that.” An AI solution is being developed to help the ICO identify website using non-compliant cookie banners.

What is the ICO’s key concern

The focus is on meeting the requirement to give users a fair choice over whether they are tracked for advertising purposes. The ICO is stressing organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’. To be clear, websites can still display adverts when users reject tracking, just not ones which are tailored to the person’s browsing habits.

Our 5 steps for compliant cookies

So, how can we make sure we’re following the rules when we deploy cookies and other similar technologies? Here are some straight-forward steps to take:

1. Audit: Do a cookie audit. If you don’t know what cookies your website is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what cookies and similar technologies are currently deployed on your website(s). Establish what they are being used for and which are provided by third party providers and involve the sharing of data with the third party (for example Google, Meta, etc).

2. Spring clean: Get rid of the cookies you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies lurking on websites, serving no purpose. You might need to check with your colleagues which are still used.

3. Categorise: Categorise your cookies – what are they used for?

  • Strictly necessary (essential) cookies – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or a cookie which allows items to be added to a cart in an online store.
  • Analytics/Statistics/Performance cookies – for example, cookies which allow you to monitor and improve the site performance.
  • Functional cookies – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website.
  • Advertising/Targeting cookies – allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website.

4. Collect consent: The law tells us you need to collect consent for all cookies and similar technologies which are not ‘strictly necessary’ before cookies are dropped onto the users device. To achieve this, you may wish to select a specialist Consent Management Platform to handle notifications and consents for you, as a website ‘plug in’.

There are many CMPs on the market, some of which are free. Beware that not all of them meet the UK/EU cookie requirements, so care is required when selecting the right one. If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, your likely to need a paid solution.

5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include:

  • the cookies you intend to use;
  • the purposes they will be used for
  • any third parties who may also process information stored in or accessed from the user’s device; and
  • the duration of any cookies you wish to set.

There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice.

What are cookies and similar technologies?

Cookies are small pieces of information, which are used when users visit websites. The user’s software (for example, their web browser) can store cookies and send them back to the website the next time they visits.

The cookie rules also apply to any other technologies which stores or accesses information on a user’s device. For example, similar technologies could include, web beacons, scripts, tracking pixels and plugins.

What the law says

Contrary to what we often read in the papers, GDPR does not give us the rules for cookies and similar technologies. In the UK the rules are set out in the Privacy and Electronic Communications Regulations (PECR) which are derived from the EU ePrivacy Directive. The specific requirements can vary by country, so think about which countries your site users visit from.

In simple terms, you can’t ‘drop’ a file on a user’s device or gain access to information stored on their device unless:

a) You have provided clear and comprehensive information about your purposes for doing this, and
b) You have collected the consent of the user.

There is an exemption for strictly necessary cookies only. The cookie rules apply regardless of whether you’re processing personal data or not, i.e. these rule also apply to the automated collection of anonymised data.

Some points worth noting from ICO guidance

  • Consent needs to meet the requirements under GDPR for it to be a specific, informed, indication of someone’s wishes given by a clear affirmative action.
  • You must inform users about what cookies you use and what they do before they give their consent.
  • Where third-party cookies are used, you must clearly and specifically name who these third parties are and what they will do with the information collected.
  • Users must be given control over non-essential cookies, and should be able to continue to use your website if they don’t give consent.

It’s worth noting the ICO has determined analytics cookies are NOT essential and require consent. However, this is not always the case in other European countries. For example, the French regulator CNIL does not mandate the collection of consent for analytics cookies. They consider these cookies can be used under Legitimate Interests, which means they still require websites to notify users and give them the opportunity to object (opt-out).

The future and alternative solutions for cookies

In both the UK and in the European Union there’s a concerted desire to simplify the rules and remove the necessity for everyone to be faced with a barrage of cookie pop-ups on every website they visit. As yet however, a suitable solution has not been agreed.

The UK’s Data Protection and Digital Information Bill which is currently progressing through Parliament includes provision to expand the types of cookies which wouldn’t require consent. For example, the exemption from consent could extend to analytics cookies – although you’d still need to notify users and give them an option to object.

Meanwhile, many believe it’s only a matter of time before the use of third-party data cookies becomes obsolete, due to the inherent difficulties in collecting valid consent. It’s highly likely there will be a premium on first party data, collected compliantly and transparently from customers or prospects.

Instead of using third-party cookies to help target advertising, there are a growing number of contextual advertising solutions, which are less intrusive, and a growing interest in more privacy friend Edge Computing Solutions.

Others are moving to a subscription model where users pay to access ad-free content, or are using a combination of this and contextual advertising.

Several organisations who received warning letters from the ICO late last year, are working on developing alternative solutions. The ICO says it will share more detail on how this models can be compliantly implemented next month.