Written by on . Pegasus.

Spotlight on website privacy policies

Understanding best practice for your website cookie policy has probably been sat on your to-do list for some time. Here Paul Edge, Digital Strategist, helps you on your way to tick off the task.

First off, I’m not a lawyer, this blog post is based on my own extensive research, and is to be used for information only and is not a substitute for legal advice.

Concerns about privacy and the protection of personal data are becoming increasingly important for people. There is a perceived lack of control over their data, and high-profile data losses by organisations add to feelings of concern for privacy. Yet we are all creating more information about ourselves. Views of the public can appear contradictory – with what they say not mirroring online behaviour.

So What Are the Legal Requirements for Cookie Policies?

It’s the job of the Information Commissioner’s Office (ICO) to police data privacy and investigate any complaints made by consumers. According to the ICO, when adding a cookie policy and installing a pop up notice, some of the basic rules are:

  • tell people the cookies are there
  • explain what the cookies are doing and why
  • get the person’s consent to store a cookie on their device

The third point isn’t explained in more detail than ‘get a person’s consent’ which is open to interpretation.

As part of my research for this blog, I found a wide variety of creative solutions to show a cookie policy pop up notice. The most extreme being the Huffington Post who blocked my web journey to their website with a consent splash page. Huffington Post believe a splash page experience is a fair value exchange of data for latest news and it seems tolerable for their visitors.

The splash page approach works for a major publisher but it has a big impact on user experience and is not recommended for brand websites with less traffic.

Under the letter of the law, splash page style consent is not essential. Consent must involve some form of communication where the person knowingly indicates their acceptance. According to the ICO’s website, ‘to be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link.’

Cookie Policy Plug-in Tools

To make all this a bit easier to set up and manage, there are now website cookie policy plugins that are built for purpose. With the help of a developer you can install a cookie policy pop up similar to the one on the ICO’s website.

Plugins like the CIVIC tool, categorise cookies by essential cookies and non-essential cookies. It’s good practice to categorise cookies further into groups such as performance and advertising, to enable transparency and allow web users greater choice.

Essential and Non-Essential Cookies

Google Analytics counts as a non-essential cookie. The ICO uses Google Analytics and is clear about its use, giving the user the option to ‘turn cookies off’ or say they’re ‘fine with this’. The wording on the ICO’s pop up suggests that if you carry on your journey through its website without adjusting your cookie settings then the ICO will assume that the user is OK to continue with the current cookie settings.

It’s good practice in your privacy policy to give your web users the option to opt-out of Google Analytics cookies altogether by linking to this Google Analytics Opt-Out Add-on.

Make sure that your privacy policy page is clear about your use of cookies and Google Analytics. Especially if you use Google Analytics to pass data to Google’s advertising services such as Google display or remarketing.

If you are using Google Analytics to only track the number of web visitors you receive and produce reports on the metrics, then categorise analytics cookies under the heading of ‘performance’ in your cookie pop.

And if your GA data feeds into your advertising then this needs to be an additional opt-in tick box, categorised under ‘advertising’ as shown in the example below: 

Cookie policy example

Advertising Pixels

It’s best practice to control when your advertising pixels pass or ‘fire’ information back to an ad platform like Facebook or Linkedin. It’s advisable to add code like this example from Facebook that pauses sending pixel data back to the advertising platform until your visitor has clicked to accept the cookie policy. 

EPR Regulation

Having said all that … the data protection landscape will change again soon according to the website IT governance.

The European Commission’s new ePR (Regulation on Privacy and Electronic Communications) policy will come into force after Brexit is finalised. ePR stands for e-Privacy Regulation, a regulation for electronic communications and the right of confidentiality. It is nicknamed the ‘cookies law’ because one of the aims of the regulation is to simplify the rules applying to cookies and rationalise cookie consent into a more ‘user-friendly’ journey (which means potentially less pop up banners – hooray!).

Advice for Legal Copywriting

  • Ensure legal copy can be updated easily on your website, this can be difficult within larger organisations so allow time for internal sign off
  • You know your website and advertising schedule best, so draft your legal copy and then send to your legal team for advice and approval
  • Regularly review and update your privacy policy every time you install new website technology and 3rd party software.

If you are looking for help auditing your website in light of these changes, then just drop me an email.

Where to Seek Advice and My References: 

  1. ico.org.uk
  2. The General Data Protection Regulation (GDPR)
  3. developers.facebook.com/docs/facebook-pixel/implementation/gdpr/
  4. civicuk.com/cookie-control/v8/documentation
  5. www.itgovernance.eu/en-ie/eprivacy-regulation-epr-ie
  6. ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications
is a Digital Account Director with over six years experience making engaging digital content convert.