What are cookies?
Cookies are a way for websites to track users’ activity and store information about them. That could be items in their basket on an ecommerce site, or usernames and passwords for sites with a log-in area. If you’ve ever revisited a website and it has remembered your preferences, that is made possible by cookies.
Cookies themselves are small text files. They usually take the form of a string of letters and numbers, and are stored on your device. When you revisit a site, your browser will send the cookie to the server, and the site will read it and can then adapt what it shows you accordingly. Your previous preferences and interactions with a website are normally stored in the website and can be recalled when it recognises you from one or more cookies.
Cookies aren’t the only way for websites to profile users – other techniques include fingerprinting, which reads information about users’ devices rather than their interactions with site content – but they are the most popular, and are extremely useful to website owners for marketing and analytics purposes.
In recent years, there has been increasing concern over the fact that while cookies are by their nature unobtrusive for users, they allow websites to build up detailed profiles of their users’ activity, interests and personal information. Some cookies are used to track users across multiple websites, meaning that Website A may be able to ‘see’ what a user viewed on Websites B, C, and D and build up a detailed profile of you and your interests. This is how your Facebook feed is able to show you adverts for things you have never searched for or interacted with on Facebook itself!
As a result of these concerns, most countries now have some form of data privacy law that affects how cookies may be used on websites. In the UK, the most important law governing this is the General Data Protection Regulation, or GDPR. The GDPR is one of the strictest data privacy laws that have been adopted in the world to date, and the penalties for non-compliance have included fines of more than a million Euros.
However, all is not lost for webmasters. You are still allowed to use cookies to track certain kinds of visitor activity – it just has to be done in a compliant manner. To understand what that entails, let’s look at the way cookies are categorised.
Types of cookies
From a technical point of view, cookies can be categorised in several different ways. A cookie will have one attribute from each of the following:
Necessary cookies v. non-necessary cookies
This distinction is straightforward enough: a cookie is necessary if your website cannot serve a user without it. Note, however, that it’s what’s necessary for the user. Cookies for analytics and advertising preferences are not considered necessary from a legal perspective, because your website can serve a user without tracking them for either website usage analysis or advertising purposes. Users must consent to all non-necessary cookies unless the website can demonstrate a legitimate interest in using them – the guidance from the Information Commissioner’s Office (ICO) that sets national standards in this area in the UK is that there can be no exceptions. We'll talk about how to manage that consent in a moment.
First-party cookies v. third-party cookies
A first-party cookie is one that your website places on a user’s device. A third-party cookie is any cookie installed by a website not currently being viewed. Third-party cookies are most frequently used for targeted advertising, for example by showing a user similar products to those that they’ve been searching for or viewing on other websites. Analytics cookies are also classed as third-party where they rely on external services such as Google, although they are not used for advertising. Again, users must opt in to all third-party advertising cookies, and to any first-party cookies that aren’t strictly necessary.
Session cookies v. permanent cookies
Session cookies are deleted when a user navigates away from a website, or when they close their browsers. Permanent cookies are something of a misnomer, as under GDPR, cookies may actually only be stored for a maximum of a year. Permanent cookies are sometimes called persistent cookies. In most cases (but not all), users must consent to permanent cookies.
Cookie consent
We’ve talked so far about user consent and opting in, and the general advice you will see is that most kinds of cookies – especially those used for analytics purposes and for tracking – do require this. The ICO refers to cookies that don’t require opt-ins as ‘exempt’. It provides a handy guide to what kinds of cookies are likely to be exempt, although this is not exhaustive. The EU has provided its own opinion on what kinds of cookies may be exempt under the terms of the GDPR.
For now, we’ll move on to what constitutes consent under GDPR.
Consent must:
- Be explicit – a user must click (or take another positive action) to accept cookies
- Be freely given – a user has to understand what they’re consenting to, have meaningful choice, and by able to opt out
- Mention who is controlling the data
- Explain what data are being collected, what they are being used for, and why
At one point, websites could rely on ‘implicit consent.’ This often took the form of a banner which said ‘By using this website, you’re agreeing to our use of cookies.’ Scrolling or otherwise interacting with the site’s content was held to constitute implicit agreement. However, the European Data Protection Board (EDPB) ruled that this is not enough to meet the definition of consent, which must include an active opt-in by clicking ‘Accept’ or similar.
Likewise, users must have the opportunity to opt out at any point. Because implicit consent can’t be withdrawn, it is not compliant with GDPR. This means that, where personal information is being submitted in a form, the website should require explicit agreement to its data processing and data protection policies.
Additionally, so-called ‘cookie walls’ – where a user is expected to agree to cookies that are not necessary for the website to operate in order to access that website at all - are also non-compliant with GDPR. A cookie wall prevents users accessing a site unless they opt in to cookies that should be optional and should require user consent.
Remember that strictly necessary cookies are exempt, so this is requiring users to opt in to cookies which are not needed for the site’s functionality. A ‘take it or leave it’ approach means that user consent is not considered legally as freely given.
There are situations in which consent is not required. Article 6(1) of GDPR sets these out.
- You have a contract with the individual whose data you are processing, and the data are required to fulfil this contract
- You have to process the data in order to comply with a legal obligation in the UK or EU
- You have to process the data to protect someone’s life (the person whose data you’re processing, or someone else’s) – known as ‘vital interest’
- You are a public authority and have a task to carry out in the public interest
- You have a legitimate interest (including for commercial benefit) in processing the data.
For most website owners, the final bullet point is likely to be the most relevant. The ICO somewhat controversially advised in 2019 that analytics cookies are not covered under legitimate interests, despite direct marketing being permissible. However, following the implementation of its own recommendations in requesting an opt-in to Analytics cookies by users of the ICO website, its own recorded web traffic dropped by 90%, showing that any business requiring consent for Google Analytics cookies is likely to severely reduce the accuracy and reliability of its web analytics, and thereby reduce its ability to make informed marketing and investment decisions based on analysing anonymised visitor numbers and behaviour.
Many marketers would argue that website analytics cookies should be allowed in the legitimate interest of strategic business planning, especially since Google Analytics is tracking an anonymised quantity of users rather than identifiable individuals. The ICO advice that Analytics cookies require consent may be overruled by the British government.
The GDPR stipulates that legitimate interests do not outweigh individuals’ rights to privacy, and processors must still be transparent about the data they’re collecting.
One final caveat, in case things weren’t confusing enough: the landscape is constantly changing, and the arrival of a new Information Commissioner in 2022 may shake things up. Additionally, the fact that the UK is no longer a member of the EU means that it could make changes to GDPR legislation; and it has recently run a consultation on doing so. However, it’s by no means clear what direction this will take yet.
If as a website owner you wish to adopt a cautious approach to cookies - bearing the ICO’s pronouncements in mind - then here are some tips for managing cookie consent on your website (including tracking cookies):
How to manage cookies on your website
While it is possible to manage cookie scripts oneself, many website owners will choose a cookie consent management platform, or CMP. If your website is built using Wordpress or Drupal, there are plug-ins available that will place a consent banner or pop-up on your page. These are sometimes known as cookie bars or cookie pop-ups, and they can also integrate with CMPs, if you have an account with them. Be aware, however, that some CMPs do not actually comply with the ICO’s stringent regulations on user opt-ins; always do your own research. Among the guidelines to bear in mind for any cookie pop-up to ensure that it is working within the letter and spirit of the rules are:
- It is not allowed to have only an 'Accept All' button or to make the 'Accept All' button more visible than the alternatives to nudge the user into clicking it.
- There needs to be a 'Reject All' button or preferably a 'Select Cookies' or 'Manage Cookies' one too, allowing the user a free choice of which optional cookies to opt into; and whichever form of words you go for on this button, it needs to be as easy to see and select as the 'Accept All' one.
- If you opt for 'Select Cookies' or 'Manage Cookies' instead of 'Reject All', then on the screen opened with the list of available optional cookies, you should still make it easy for the user to exit without opting in to any of them and then allow them to continue using the site without restrictions. If there is a long list of cookies that spans multiple pages, then you should add a 'Reject All' button at the top of the list of selections as well as at the bottom, so that the length of the list does not impair the user from leaving without opting in to any of them.
- Where you have a 'Select Cookies' or 'Manage Cookies' section, no optional cookies may be pre-selected by default, as the user must make a positive action to opt into them for the consent to be legally valid
- It is not acceptable to pre-select a user opt-in to some cookies under the banner 'legitimate interest' to get around the rule that cookies requiring consent must be deselected by default. Cookies allowed by legitimate interest by definition do not require consent, so they should not be listed as choices at all. Conversely, if they are not allowed without consent, then 'legitimate interest' is a misnomer and should not be displayed on the screen beside them.
- It is not acceptable as an alternative to 'Accept All' to link the user through to a static page setting out your cookie policy or terms and conditions, without controls over which cookies to select. The link offered as an alternative to 'Accept All' must allow the user the freedom to opt in to any cookies wanted while at the same time deselecting them by default.
- It is not acceptable to instruct the user to go to external sites that provide cookies on your website, and tell them they have to opt out of cookies on each of them separately. Full controls must be given on your website and the default position must be that the user is opted out. Websites that tell the user they have to go to external websites to opt out of third-party advertising cookies on their website are in flagrant breach of GDPR.
Google has introduced an option for tracking website visitors called ‘Consent Mode’, which collects analytics data in line with user preferences without requiring the use of cookies. Consent Mode doesn’t replace a CMP, but it does ensure that any data it collects respects the choices of the individual user and complies with GDPR. Users who do not opt in to analytics cookies will not be tracked except for very basic information. These data can still be useful to website owners, however, as they can indicate for instance whether the page URL includes a referral from an ad. Consent Mode is activated in Google Analytics by website owners – it is not something that can be enabled by end users.
There is one final option, which is to avoid using any cookies that track the user (or track them more than is strictly necessary for the website to function). This then means there is no possible legal interpretation that would require the use of consent banners or intrusive pop-ups. While you will lose the ability to track people for marketing purposes, in some situations this drawback may be cancelled out by a more seamless experience for users, who do not have to navigate through pop-ups and consent forms.
Disclaimer: GWS is not qualified to give legal advice. If you have questions about the legality of cookies on your website, please consult a solicitor in the relevant area of law.