You've all seen them, the popup window asking you to accept cookies when you go to a new website. If you're like me, you probably find them pretty annoying and either blindly accept all the cookies, deny all the cookies, or just leave the window in place and not do anything with it. But why do some websites have this cookie consent window and why do some not? This article will help you understand what cookies are and whether cookie consent is needed for UK websites.
Instead of re-inventing the cookie definition. Here is how Wikipedia defines a browser cookie:
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.
https://en.wikipedia.org/wiki/HTTP_cookie
There are broadly speaking, two types of cookies, essential and non-essential.
Essential cookies are fundamental to the operation of the website. For example on a shopping site they might store the details of the goods you add to your shopping basket before you checkout and purchase them. These are often referred to as session cookies or persistent cookies
Non-essential cookies are those placed on your device which are not needed for the site to function correctly. Often these are placed so that the website owner can track how many visitors they have to the website and what they are doing on the website. This in turn helps them optimise the website for future visitors. Non-essential cookies will be referenced as either first-party cookies or third-party cookies.
First-party cookies only interact with the website you are visiting. Third-party cookies will share data with other websites.
Cookies by themself are not dangerous. The concerns stem from third-party cookies sharing information with other sites. This could include personal information about yourself such as your sex, age, address, interests etc. Have you ever wondered why the likes of Google and Facebook can show relevant adverts to yourself? They know what you have previously been browsing on the internet via these third-party cookies and then tailor the adverts they surface to you accordingly.
It's this sharing of personal information between sites which is considered bad.
The main data protection rules in the UK are the Privacy and Electronic Communications Regulations (PECR) which sits alongside the Data Protection Act and the UK General Data Protection Rules (GDPR). PECR governs how cookies should be used that track information about people accessing a website. The source of truth for the PECR is the Information Commissioner's Office (ICO). Here is what they say about the use of cookies:
(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-the-rules-on-cookies-and-similar-technologies/
What this means for cookies in use on a website is that:
The answer is almost certainly yes. Pretty much all websites will be tracking site visitors and one of the common tools being used is Google Analytics. Google Analytics (v3) places third-party cookies and Google Analytics (v4) places first-party cookies on your device.
It doesn't matter whether it is a first or third-party cookie though. They are both non-essential and you as a website visitor legally need to be given the choice as to whether you accept the use of them or not.
You can look in your web browser to see what cookies are in use. You can follow this article for instructions. Alternatively, you can use this online tool:
Just enter the website address and click 'Find Cookies'. If the report comes back with no cookies found, that either means there are no cookies (unlikely) or that the site has a working consent/opt-in mechanism. Until such time as the visitor has given consent, no cookies will be deployed. If you run the check against this website, it will show no cookies. That's because we have cookie consent in place.
Here's an example of a website which has cookies and which does not have cookie consent. I've hidden the site name to protect them:
The report shows that only 15% of the cookies in use are essential for the operation of the website and a whopping 85% are non-essential which are being automatically deployed to a visitor's device - illegally! I couldn't even fit the full report onto the screen there were so many being set.
Yes, only if there are really no cookies in use on the site. These are going to be few and far between.
No. You as the website visitor have to explicitly give consent for cookies to be used. There is no alternative. A site owner may think they are covering themselves by having the following statement, or a variation of it, in their site policies:
This website uses cookies. By using this website and agreeing to this policy, you consent to the Company’s use of cookies in accordance with the terms of this policy.
In the UK, that is not compliant. While it may be OK in some countries, for UK websites it is not.
No. Once you've set your cookie consent options, those will normally be valid for 12 months. Each visit in that 12-month period will be governed by your previous choice, so you will not see the cookie consent until the time period is up. A compliant site will allow you to change your cookie options at any time.
Ironically, your cookie consent choice is stored in a cookie!
There are two penalties that the ICO can impose. One which is 2% of total turnover and another which is 4% of annual turnover. Note this is on turnover, not on profits.
Why am I writing this blog? One reason is to inform you, but also to highlight the disregard for cookie consent and PECR from web development agencies. As I've been setting up my agency, I wanted to see who my local competition was. I've been shocked by how many agencies do not have cookie consent on their own site.
The report above was from one of the agencies geographically closest to me. When hiring a web agency for your website, you not only want a great-looking site, but you need one which complies with the local regulations. Now some of that compliance is down to the site owner (like supplying a privacy policy) but complying with the PECR and the cookie consent regulations is the job of the agency.
All sites developed by Web X Design Studio will come with cookie consent as part of the build package. It's the law, it's not an optional extra.
Warning! If the web design and development agency you are considering does not have cookie consent and an easily accessible cookie policy, think carefully about hiring them. They are not compliant with the law themselves.
Out of the five closest web agencies to me (according to Google), four of them are not PECR / cookie compliant. Choose carefully when selecting your agency. It is not the agency that will be liable for any fines, it is yourself.
As much as we all hate the cookie consent popups, they are essential for the majority of UK websites that you will visit. It's mandated by the PECR and if a site is using cookies, without allowing the site visitor to explicitly opt-in to using them, they are breaking the law. The law is there to protect how your personal information is shared. That right should be with you by allowing you to make an informed decision to allow cookies on a site or not.
When visiting a site which does not have cookie consent, think twice about whether you want to do business with them. If you are hiring a web agency to develop a new website for you, ensure their own site is compliant, if not, move on to one which is.
I am not a lawyer, but someone who has been around these regulations for a number of years. I share this information in good faith but it should not be construed as legal advice. Please consult with your lawyer if you are uncertain about how to manage cookies and data privacy.
