This article on Cookies Policy is Part 1 of a series of articles on all things tech related. Our Trainee Solicitor, Nick Goodchild, will bring his expertise to the table from a commercial point of view whereas, Partner, Nick Parkinson will be looking at things from a litigation perspective. Together, they are Tech-Nicks!
To get the ball rolling, our Trainee Solicitor, Nick Goodchild, examines the importance of the Cookies Policy. Cookies are part of virtually every website, but it can be confusing to understand what they do and the law that governs them. Luckily, our Tech-Nicks are here to break it down in simple terms.
What are Cookies?
Cookies are small computer files which are downloaded to your computer or smartphone when you visit a website. They are used to recognise your device and store information about your preferences and previous actions on the website.
What Regulations Apply?
Cookies are subject to the Privacy and Electronic Communications Regulations 2003 (PECR), and, where the cookies can identify an individual, they are also considered personal data subject to UK General Data Protection Regulation (GDPR).
What Are Our Legal Obligations?
PECR requires website operators to:
- inform users that cookies are being set on their device;
- provide clear, comprehensive information about what the cookies are doing and why; and
- get the user’s consent before setting the cookie.
The consent must be properly informed, freely given, and involve a positive action – such as clicking a box marked ‘accept’. Passive consent (doing nothing) is not enough.
An exemption to this rule is that website operators may set cookies without consent if they are ‘strictly necessary’ for the functioning of the website. But comprehensive information about these must still be given to the user.
If the cookies can identify the individual, they are considered personal data and are subject to GDPR. Such data would therefore fall under the website operator’s Privacy Policy. See our article on Privacy Policies here.
What does this mean in practice?
In practical terms, this means that if your website is setting cookies on a user’s device, you should provide a list of all the cookies, and their functions, and give the user an easy way to consent to, or reject, the cookies being set on their device.
Frequently this takes the form of a ‘cookie banner’ or information box, which appears on the screen when the user first visits the website, along with a button to signify consent. Many will allow the user to toggle the cookies on or off, while specifying that ‘strictly necessary’ cookies are always on. Once the user has made their choice, the website should adhere to it.
In the background, it is important that no non-essential cookies are set on the user’s device without consent – this means that, if the user does not click to accept, the non-essential cookies should not be set automatically.
While the cookie banner may provide relevant information in ‘short form’, websites should also have a written Cookie Policy which provides more detail on the cookies’ functions and purposes.
Next Up?
Looking ahead, in Part 2 of our series of ‘Tech-Nicks’ articles, we will be looking at Cookies from a complaints and litigation perspective. In other words, the consequences of ‘Getting Cookies Wrong’!
We hope you found this Article useful, and if you would like advice or help drafting your own Cookie Policy, please contact us using the details below;
This article was originally published on: 30 October 2023
