GDPR and Cookies
The General Data Protection Regualation (GDPR) now sits above the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).
This new umbrella now adds even further restrictions as to the use and management of cookies that are placed on a computer by software that is used to track your activities, requiring explicit consent from website visitors for the storing of non essential cookies (particularly those used for marketing purposes) on their computer.
PECR
The ICO website states:
“You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.
There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).”
A “Cookie Statement” that pops up when a user first visits a website that just says that the site uses cookies is non compliant, as it does not provide the user with the ability to turn off non essential cookies befire using the site. Further GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it. With cookies this will generally mean that they should be able to revoke consent through the same action as when they gave consent. For example, if they consented by clicking through some boxes, they have to be able to find the same form to revoke consent.
Non essential cookies (such as analytic, marketing or tracking cookies) must always be turned off when a user enters the site, and explicit consent must be given to turn them on.
This clearly has major implications for marketters who are relying on Google Analytics or similar tracking and monitoring suites, and for advertisers who are using double click etc.
Non compliant cookie statements
Identifying cookies on your website.
See also gdpr-compliance
There’s no such thing as a free lunch
You may not think that your website uses any cookies, if it was designed by a third party, or contains widgets (or bits of third party code) it almost certainly does.
So how do you find out?
There are lots commercially available software that will test compliance and identify cookies, but there really is no such thing as a free lunch, identification is one part of the puzzle, solving the cookie consent conundrum is another, and most identificatin software sites will then try and sell you the ultimate ideal solution.
Always refer back to your website designer, and ask them why you haven’t been compliant since May 2018 … maybe there is such a thing as a free lunch after all …
Termly
Termly https://termly.io/ is good for a quick sanity check, but comes with the following disclaimer:
“Disclaimer: This tool is meant to help you determine whether web content meets General Data Protection Regulation (GDPR) and EU ePrivacy Directive 2009/136/EC (ePR) guidelines related to online tracking. Termly automatically scans a website to identify the presence of these requirements and lists them in this report. The scanning technology used to provide the report is not free of errors, and therefore Termly does not warrant that the content of this report is accurate, complete, reliable, or error-free. A positive test response must not be taken as a guarantee that the website satisfies all legal requirements. Please consult the GDPR and ePR legal text, or a trusted source (e.g., the Data Protection Authority or a lawyer in your country) for a full overview of website legal requirements.”
Should you wish to go ahead with the pro version … then it is £7 per month for a full GDPR + Cookie Policy Compliance.
You only have to get it added to your site … back to your website designer …
Termly
Cookiebot
Cookiebot will produce a downloadable report based on scanning five pages, and requires a subscription to scan more.
It is again a subscription service, with a free version for websites with less than 100 pages.
Code is produced which needs to be added to the website to handle the necessary cookie consent and/or rejection, Back to your website developer.
Cookiepedia (CookiePro – OneTrust)
Cookiepedia https://cookiepedia.co.uk/ is “… the largest database of pre-categories cookies and online tracking technologies.”
You can search by specific cookie identifier to understand what cookie is being used on your website.
You can also scan your website (like Cookiebot) which scans 9 pages using Cookiepro.
Certain text is reproduced here from the Information Commissioner’s Office website, July 2019, licensed under the Open Government Licence