First off, I’m not a lawyer, this blog post is based on my own extensive research, and is to be used for information only and is not a substitute for legal advice.
Concerns about privacy and the protection of personal data are becoming increasingly important for people. There is a perceived lack of control over their data, and high-profile data losses by organisations add to feelings of concern for privacy. Yet we are all creating more information about ourselves. Views of the public can appear contradictory – with what they say not mirroring online behaviour.
So What Are the Legal Requirements for Cookie Policies?
- tell people the cookies are there
- explain what the cookies are doing and why
- get the person’s consent to store a cookie on their device
The third point isn’t explained in more detail than ‘get a person’s consent’ which is open to interpretation.
The splash page approach works for a major publisher but it has a big impact on user experience and is not recommended for brand websites with less traffic.
Under the letter of the law, splash page style consent is not essential. Consent must involve some form of communication where the person knowingly indicates their acceptance. According to the ICO’s website, ‘to be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link.’
Plugins like the CIVIC tool, categorise cookies by essential cookies and non-essential cookies. It’s good practice to categorise cookies further into groups such as performance and advertising, to enable transparency and allow web users greater choice.
Essential and Non-Essential Cookies
Google Analytics counts as a non-essential cookie. The ICO uses Google Analytics and is clear about its use, giving the user the option to ‘turn cookies off’ or say they’re ‘fine with this’. The wording on the ICO’s pop up suggests that if you carry on your journey through its website without adjusting your cookie settings then the ICO will assume that the user is OK to continue with the current cookie settings.
If you are using Google Analytics to only track the number of web visitors you receive and produce reports on the metrics, then categorise analytics cookies under the heading of ‘performance’ in your cookie pop.
And if your GA data feeds into your advertising then this needs to be an additional opt-in tick box, categorised under ‘advertising’ as shown in the example below:
Having said all that … the data protection landscape will change again soon according to the website IT governance.
The European Commission’s new ePR (Regulation on Privacy and Electronic Communications) policy will come into force after Brexit is finalised. ePR stands for e-Privacy Regulation, a regulation for electronic communications and the right of confidentiality. It is nicknamed the ‘cookies law’ because one of the aims of the regulation is to simplify the rules applying to cookies and rationalise cookie consent into a more ‘user-friendly’ journey (which means potentially less pop up banners – hooray!).
Advice for Legal Copywriting
- Ensure legal copy can be updated easily on your website, this can be difficult within larger organisations so allow time for internal sign off
- You know your website and advertising schedule best, so draft your legal copy and then send to your legal team for advice and approval
If you are looking for help auditing your website in light of these changes, then just drop me an email.
Where to Seek Advice and My References:
- The General Data Protection Regulation (GDPR)