A ‘cookie’ consists of information downloaded on to your computer when you visit a website. Cookies are widely used and can do a number of things, such as remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website.
This guide explores current legislation that applies to cookies that you use on your website. As well as explaining cookie law in general, it covers cookie notices, cookie consent and the practical effect of the Privacy and Electronic Communications Regulations (PECR).
All of this comes with the standard caveat that we are not lawyers and we are just trying to explain things clearly to our community of small charities. So if you are in any doubt, check with a lawyer.
Let’s start our cookie discussion with GDPR.
Does GDPR require cookie consent?
As we explain in our GDPR guide for small charities, GDPR mainly applies where the data being processed is personal data. So the first question to ask is this:
Do I use the cookies on my website to process personal data?
The answer to this question will vary depending on the nature and purpose of the cookie. For example, Google Analytics’ terms of service forbid you from tracking personal data. If someone came to you and asked you to provide them with the personal data you have gathered on them from Google Analytics this should not be possible because (unless you’ve done something unusual that breaches Google’s terms of service) the data stored in Google Analytics is anonymous.
That said, GDPR arguably does apply to the collecting of IP addresses even if these are only accessible by Google employees and not you. So for a thorough approach, you should check you have followed Google’s guidance on IP address anonymisation. Plugins/modules for Wordpress and Drupal allow you to apply this easily and the White Fuse platform does this as standard.
However, there may be some situations other than Google Analytics where you are tracking personal data with cookies, such as checking someone’s identity to see whether they are logged in or not. In these circumstances, GDPR will almost certainly apply. If GDPR applies then the next question to ask is this:
Do I need consent or is there another lawful basis for processing this personal data?
For the majority of cookies in use on charity websites, the cookies will be lawful on the basis of legitimate interests. This is the most flexible lawful basis and is described in more detail on the ICO website. In practical terms, if your cookies are necessary to deliver the experience the user would expect on your website and there are no less intrusive ways of delivering this, then you are likely able to rely on this lawful basis.
Here is a summary of the examples described above:
|Cookie||Processing personal data?||Lawful basis other than consent can be used?|
|To verify a users identity in order to keep them logged in to the website||Yes||Yes|
|Anonymous usage statistics collected through Google Analytics||No||N/A|
Of course, you need to check your own website to discover the cookies in use and make your own decision on the applicability of GDPR.
PECR and cookie consent?
‘So what gave rise to all the cookie popups?’ you may be asking. The answer to that is PECR - the Privacy and Electronic Communications Regulations. This is the piece of legislation that covers cookies, whether or not they are involved in processing personal data.
Does PECR apply to all cookies?
No. There are some pretty big exceptions under PECR which mean you are unlikely to need consent for:
- cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
- session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
- load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.
What cookies does PECR apply to?
The most obvious and common types of cookies to which PECR applies are services that track usage of a website, such as Google Analytics. If these cookies don’t collect personal data they are unlikely to be covered by the GDPR (as discussed above) but they are covered by PECR.
When PECR applies what must I do?
When PECR applies to cookies you are using on your website, the basic rules, as summarised by the ICO, are that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
Items one and two are pretty straightforward but 3 (consent) is more tricky.
What is the PECR definition of consent?
Just to keep us on our toes, the current definition of consent under PECR is different from the definition in the GDPR. Under PECR consent is defined as:
‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
The challenging part here is ‘freely given’, which clearly implies that there can’t be a cost to saying no. This means there must be a meaningful choice and it is surely not enough to say ‘if you say no you can’t use this website’.
What do websites typically do to comply?
There is a range of responses people have made to the PECR regulations on cookie notices and cookie consent which we’ve set out in the table below.
|No*||On||Header link||Privacy International|
|No*||On||Pop-up||Save the Children
Cancer Research UK
|No*||On||Footer notice or 'cookies' link||Scope
*Note that cookies can be restricted to all websites at a browser level.
Should we use a pop-up?
As is clear from the table in the section above, there is a broad range of responses to the PECR legislation. The main usability case for a popup is when you are offering the user a meaningful choice that you think they will care about. So in this instance, if you are planning to use a pop-up, the best way to do this is to offer a simple choice to the user to either ‘accept’ or ‘block’ cookies that track usage. Here is an example:
Help us improve through anonymous usage tracking
Accept | Block
Where you are offering the user no choice, then the importance of information you are presenting to them needs to be assessed in the context of your overall website aims. For example Privacy International do track usage, don’t use pop-ups, but do have a very clear link in the header called ‘Your Data’ that takes the user to a full explanation of how their data will be handled.
What are the risks?
Last year the ICO (the body responsible for enforcing these laws in the UK) received only 195 complaints about cookies vs 167,018 about nuisance calls, texts and emails. As a result, they have “maintained a consumer threat level of ‘low’ in this area due to the very low levels of concerns reported by members of the public”.
The only compliance action documented by the ICO is that it has written to 418 organisations since October 2012 (as of 4 July 2017), specifically about compliance with the cookie rules.
If you compare this to the huge fines potentially associated with GDPR and even the fines already levied under the previous Data Protection Act, it is clear that more time should be focused on good data protection controls than cookie notices and popups.
So what should small charities do?
Unfortunately, the law in this area is not particularly clear and this makes simple no-nonsense advice had to give. But this here is a summary of what we think small charities should bear in mind:
- Large charities adopt a number of different approaches.
- No clearly ‘right’ approach has emerged in the last 7 years and even the ICO doesn’t take the most cautious approach.
- The ICO think this is a low priority issue.
- On the basis of the last 7 years, small charities are unlikely to be approached directly by the ICO on this issue.
Upcoming changes to PECR
After GDPR, the next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). So cookie law will change again soon!
At the time of writing this post, this legislation is still at the draft stage. In relation to cookies, it’s likely that the legislation will reduce the need for website-specific cookie notices and focus on more sensible restrictions around the gathering of personal or sensitive user data and on giving users more control at a browser level.