There is a growing number of websites using cookie consent management platforms designed to capture user consent for certain types of cookies. Such platforms inform visitors of the cookies being used by the website to make it clear what a user could be giving consent before they are dropped.

This blog post is prepared for website developers and business owners to give a brief overview of the legislation surrounding website cookie consent, and how to collect user consent lawfully.

What is the associated UK GDPR legislation?

The law around cookies (and similar technologies) is found in the Privacy & Electronic Communications Regulations (PECR) 2003. Although PECR has not changed much over time, the threshold for valid consent is now much higher due to the enforcement of the UK GDPR and that’s the difference. Key to getting it right is transparency.

What are the different purposes of website cookies?

In general, cookies are categorised as either strictly necessary or non-essential. The latter category could include cookies that are functional, performance related, analytical or targeting (marketing). Only those that you consider are needed for the correct operation of your website, don’t need prior consent. For instance, cookies that are used to remember what’s in a shopping basket, would be deemed to be strictly necessary. Whereas non-essential cookies are those you might think are commercially helpful but are not actually necessary to make the website work in accordance with its purpose.

Some cookies are used just for a single session whereas others are persistent and may hang around for days, weeks or years. Regardless, your legal responsibilities do not change. 

What is needed?

Every website that is running non-essential cookies must have a Cookie Consent Management Platform (CMP), that allows users to give consent for their use before they are dropped onto the user’s device. Valid consent requires the user to make an affirmative action to opt-in or accept non-essential cookies which means that all non-essential cookies must be disabled by default. Furthermore, if you are asking users to accept cookies, you must provide them with a corresponding list that describes their purpose. Transparency is key.

Why the fuss and does it matter?

The answer depends on your risk appetite, but you should at least take an informed view. In summer 2019, the ICO updated its own website, issued new guidance, and indicated it was taking a greater interest in the misuse of cookies. But it is not the threat of fines or loss of reputation that should be your motivation to do this properly, it should be to uphold the rights and freedoms of the very people with whom your website interacts.

Despite the image of cookies being delicious items of food, the term is just a euphemism for tracking technologies. Whether you believe they are anonymous bits of code or not, their use is covered by UK legislation that cannot be ignored.

In conclusion

You must tell users if your website sets cookies, and clearly explain what they do and why. Some cookies are deemed strictly necessary and don’t need prior consent, but all other (non-essential) cookies do. For these you must obtain user consent by affirmative action from the outset and in accordance with the requirements set out in the UK GDPR.

With thanks to our guest contributor, Data Protection Specialist, Phil Brown