Briefing Note

Cookie Compliance

Reviewed December 2023

Please note that this Briefing Note is not maintained, and reflects the law as at the date of publication or update

Introduction

On 21 November 2023, the Information Commissioner’s Office (ICO) issued a statement in relation to the use of Cookies on popular websites. This statement builds on previous comments issued jointly by the ICO and the Competition and Markets Authority (CMA) in August 2023 regarding websites that are harmfully designed in respect of Cookies (and, in particular, Cookie banners) and the impact that these harmful designs can have on users.

The key take-away from this statement is that the ICO is now writing to owners of larger UK websites who are failing to comply with Cookie regulations, stating that they must “make the changes now, or face the consequences”. It is clear from the tone of this statement that Cookie-compliance is high on the ICO’s agenda for 2024.  This briefing note should not be relied upon as legal advice and you should contact us for advice on your specific circumstances.

Review your websites and policies

What are Cookies?

A Cookie is a small file of letters and numbers stored on a browser or the hard drive of a computer. They have a variety of uses, ranging from those which analyse the performance of the website to those that target users through various webpages.

There is a distinction between ‘essential’ Cookies and ‘non-essential’ Cookies. Essential Cookies are required for the user to access and navigate a website. These may include Cookies that allow logins to certain section or Cookies that facilitate payments depending on the nature of the website.

Non-essential Cookies do not impact on the basic functionality of the website, but can improve the personalisation of the website and the general web experience, for example, remembering users who return to the website and using personalised greetings. Additionally, non-essential Cookies can be used to target advertising to a user based on their web history.

It is this use of these non-essential Cookies that the ICO and CMA notes can lead to users being harmed. A search item on one page can lead to related advertising being targeted towards the same user elsewhere on the internet. In some instances, this may be desirable for a user, but in other cases, it can lead to real harm. The ICO has helpfully provided examples, including gambling addicts being presented with betting offers or women being targeted with baby adverts after a miscarriage.

Both the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) are concerned with Cookies, including how consent for their use is regulated.

What is a Cookie banner?

Cookie banners are the pop-ups that are usually found at the bottom of websites. These banners are how the consent of the website-user is obtained. Users will often be presented with an ‘Accept All’ and a ‘Reject All’ option, with many websites also offering a more detailed option to manually accept or reject individual Cookies.

The ICO however notes that poor design is causing users to be channelled to the ‘Accept All’ option. This can be through a difference in presentation of the options (with the ‘Accept All’ click-box being significantly larger or more prominent than the ‘Reject All’ click-box) or using language that implies that there is a ‘right’ and a ‘wrong’ answer. The ICO has taken the view that these types of design choices fail to give users fair choices, specifically in relation to being tracked for personalised adverting.

What policies do you need?

Whilst the Cookie banner is the ‘front of house’ showing, it is important that these banners are governed by a website’s Cookies policy. This policy will sit alongside any other terms of use / Privacy Notices that may also appear on a website. A Cookies policy will stipulate the types of Cookies used on the website, what they are used for and when they will expire. Therefore, it is important that regular reviews of the Cookies used throughout the website are undertaken so that the Cookie policy is always up to date.

Having the Cookie policy adequately signposted on the website, including in the Cookie banner itself is also advisable so that the user has as much control over how their personal information is being used as possible.

Summary

Whilst the ICO have indicated that their initial focus will be on ‘top UK websites’, it is nonetheless a helpful reminder of the emphasis that the ICO is placing on Cookies-compliance and the legislation available to them to enforce failing to comply. To minimise risk, it is important that customer-facing websites have an adequate Cookie policy in place. It is also important to ensure that users are presented with equal choices in regards to non-essential Cookies. A review of a website’s Cookie banner and its associated wording should be undertaken regularly with a focus on the user experience. Additionally, all website operators should ensure that websites are frequently reviewed and that the relevant Cookie policies are updated to accurately reflect the Cookies used on the website.

 

 

 

 

 

Key Contacts

Quick Contact

  • Any data submitted through this form will be stored and processed in accordance with our privacy policy.

Contact us

To discuss how we can help you email info@gabyhardwicke.co.uk or call one of our offices:

Eastbourne: 01323 435900

Bexhill: 01424 735000

Hastings: 01424 457500