Feedback

How to Comply With the Cookie Laws in the UK

#Tools & Facts

15th September 2020

Only 11.8% of the top 10,000 websites in the UK meet the minimal requirements for cookie compliance set by European and British laws. The shocking number surfaced in a January 2020 study by researchers at MIT, UCL and Aarhus University.

They’ve found that even the biggest consent management platforms use dark patterns and showcase an alarming level of negligence in their solutions. According to the ICO website, there have been 1473 complaints related to cookies in Q1 of 2020.

So how do you avoid breaking GDPR and ePrivacy laws? Our team has investigated the most common misconceptions and malpractice in cookie consent pop-ups to compile a guide for British businesses. We’ve also contacted the Information Commissioner’s Office to clarify ambiguous guidelines – big thanks to the incredibly helpful ICO team.

About Information Commissioner’s Office (ICO)

ICO is an independent body set up to uphold information rights in the UK. They provide information about data protection rights to the public and guidance for organisations. Their responsibilities extend to accepting complaints, enforcing the laws, performing audits, and more. The legislation they cover includes the Data Protection Act, Freedom of Information Act, Privacy and Electronic Communications Regulations (PECR), General Data Protection Regulation (GDPR), and more. Their guidelines and regulations cover both digital and traditional data processing methods.

In this article:

  • you’ll learn how to stay compliant with European cookie laws
  • we’ll show you how to quickly check if your cookie prompt is compliant with the law in a form of an easy-to-follow checklist with all the crucial steps to meet the minimal requirements
  • we’ll answer frequently asked questions about cookie compliance

What are the cookie law requirements?

The usage of cookies may vary widely based on your bespoke requirements and we’re not able to cover every single scenario, However, here’s how most business websites break the cookie law. This is the case for many reputable companies so we recommend that you refrain from copying cookie prompts from others if you’re not familiar with the guidelines below.

You have to get actionable, positive consent

This is the biggest issue on most websites. In short, letting visitors know you’re using cookies is not enough. They have to actively agree to the storage of cookies that aren’t strictly necessary (we’ll cover these later),

With that in mind, an approach of displaying the following message isn’t compliant with the cookie laws:

A non-compliant cookie bar informing about the use of cookies and assuming consent, while the website pre-loads optional tracking cookies right away.

The same applies to hiding the “consent” in Terms & Conditions or allowing the visitor to “opt-out” using browser settings. Positive opt-in is required for all optional cookies.

If you’re using checkboxes (or a similar functionality) to obtain the consent for Analytics and Marketing cookies, these checkboxes have to be unchecked by default – even if you expect 100% of your visitors to agree to such usage.

When managing consent preferences, optional cookies should be turned off by default. The visitors have to actively opt-in to give their consent.

You can only pre-load strictly necessary cookies

Only cookies necessary for communication or to deliver crucial website features can be classed as “necessary”. This would include:

  • e-commerce cookies that allow users to add items to the cart
  • authentication cookies that remember the visitor’s previous login credentials
  • user preferences, such as personalisation options on your website or a cookie that stores their cookie settings
  • communication cookies, i.e. for a chatbot functionality, but only if communication is impossible without the cookies

Other analytics, advertising and tracking cookies can not be classified as strictly necessary. While a service like Google Analytics is usually used with the long-term benefits of the users in mind, it’s not strictly necessary and requires positive opt-in.

Automatic consent prompts often pre-load cookies

The solutions that are currently available on the market often are just “dummy” consent prompts. At best, they have the ability to block the cookies after the consent settings are saved. Since this scenario includes pre-loading all cookies on your website on page load, these solutions aren’t compliant in light of the laws in the UK.

Users need to be able to access your Cookie Policy right away

Linking to the policy in the footer is a common practice. We definitely agree with that, but most of the time it’s not sufficient. Your visitors might expect to find it there, but it often requires a lot of effort to reach it – especially on lengthy pages.

Visitors should be able to learn more about your Cookie Policy before they decide whether they agree to the usage. Typically, you would include a link to your Cookie Policy directly in the consent prompt.

Many cookies, such as “_ga”, “_gid”, use naming schemes that aren’t intuitive for the average user. A Cookies Policy allows you to be transparent and describe their purpose. It’s also where you can link to the third-party privacy and/or cookies policies, and include any additional information, such as the contact details for data protection enquiries or information on how visitors can delete cookies from their devices.

An excerpt from the ICO’s Cookie Policy, showing how they communicate the purpose of their cookies.

We recommend creating a separate Cookies Policy page. If you include it in your Privacy Policy it will not only be harder to find but also make the Privacy Policy less intuitive – the volume of information required in a Cookies Policy is simply too big to cram it into a single section.

You can’t lock your content behind a “cookie wall”

As a follow-up to the previous point, users need to access the entirety of your website before choosing their cookie preferences – not just the Cookie Policy. Prompts that prevent scrolling when a cookie pop-up is visible wouldn’t comply with the law.

The consent mechanism needs to be self-evident, but can’t be unnecessarily disruptive

Assuming you allow visitors to access your website without accepting the cookie consent, the prompt needs to remain unintrusive to their experience. You still have to make sure visitors intuitively spot and understand your pop-up, but if it covers half of the web page before they interact with it, the pop-up wouldn’t be fully compliant.

You can’t use suggestive design to persuade the user to accept all cookies

Another common occurrence on websites that break the law is the usage of suggestive colours or design choices to influence the user. Regardless of your brand guidelines, the options within the prompt should use the same styling.

Mockups of three cookie consent pop-ups, two of which are not compliant because of suggestive design choices.

Users need to have the option to change their cookie settings

You need to provide a mechanism of your choice that allows visitors to change their cookie settings. You can achieve this by using a descriptive hyperlink in the Cookie Policy that allows visitors to manage or change their preferences.

It’s important to note here that after changing the settings, previously set cookies might remain on the user’s device. Only the user can delete them but it’s your responosibility to guide them towards a solution. Including a simple note referromg to the browser/device settings to delete existing cookies is sufficient in this case.

Your use of cookies may also require GDPR compliance

If the information you get from the usage of cookies can identify a person, you must also comply with GDPR rules. This applies even you can only identify the person indirectly.

Even a seemingly random anonymous user identifier is “personal data” under GDPR. That’s because anonymous identifiers often refer to other data that can be used to identify a person – directly or indirectly.

As an example, if you assign “XMk3X8gPMf” as the ID of your visitor and share it with us, we have no way of identifying the person. However, if the user browsers other websites that have access to the identifier and these websites save information about the person, connecting the ID with other data sets can potentially identify the user. Many third-party cookies work like that, especially the ones set by advertising and re-marketing networks.

Both parties are responsible for third-party cookies

If you’re using third-party services that use cookies to provide their functionality, both you and the provider are responsible for compliance. This means that your contractual agreement with a third-party likely obligates you to get consent in a compliant way.

As mentioned when talking about your Cookies Policy, it’s a good practice to include links to applicable third-party policies on your website. This allows your visitors to find the detailed information on how the third-parties process their data.

Websites aren’t the only platform that necessitates compliance

The above requirements apply to all platforms and devices where you store cookies. This means that a mobile app requires a compliant prompt as well. On some devices, like smart TVs or other home appliances, getting consent might be challenging. You could do it in several ways, from communicating it in manuals or creating a standalone app where users need to register and give their consent.

We’ve prepared a quick guide that will help you spot potential non-compliance of your solution. At the end of this section, you’ll find a link to download this checklist in a PDF file.

Please note that we can’t guarantee that passing all the checks means your usage of cookies is fully compliant. These are simply the most common, high-level mistakes that can be easily spotted by anyone and we are not responsible for misuse or incorrect conclusions drawn from the use of this checklist.

To ensure full compliance, please consider carrying out an audit or consulting the extensive guide from the Information Commissioner’s Office.

  1. Ensure you have a Cookies Policy in place
  2. Ensure your consent mechanism uses positive opt-in
  3. Check for suggestive design
  4. Ensure you have full access to the website without dismissing the pop-up
  5. Check for pre-loaded cookies

    To check this, open your website in a private window and do not interact with your cookie consent prompt. Instead, for Google Chrome, Microsoft Edge and Safari, click on the padlock next to your website’s address and select cookies. If you spot any cookies that aren’t strictly necessary, this means they’re preloaded before the user opts-in. This means your website is not compliant.

    If you’re using Mozilla Firefox, ensure you’ve disabled their Tracking Protection feature and then press F12 to open the Developer Tools. Navigate to Storage > Cookies and proceed as described above.

Frequently Asked Questions about cookie compliance

Are analytics cookies exempt?

No. They are not strictly necessary for the visitor, and as such, they require positive opt-in. This applies to both third-party cookies (Google Analytics) and even first-party tracking solutions.

Can I include analytics cookies in the “Necessary” category if I’m transparent about it?

No. Necessary cookies are strictly defined as ones that provide crucial website features – shopping cart, saving user preferences, etc. While analytics might be important for your company, they’re not necessary for the visitor.

It’s the third-party setting the cookies. Shouldn’t they be exclusively responsible for it?

No. As the owner and/or manager of your website, you can choose to not use third-party services that set cookies. When you choose to use such services, you’re also partially responsible for compliance. Additionally, it’s important to note that intuitively, you’ll be the first point of contact for the visitor if they have questions or complaints about the use of cookies on your website, as they might not know that a third-party is setting them.

Can I use implied content, i.e. inform users about the fact we’re using cookies and assume consent is given if they remain on the website?

No. There’s a lot of misinformation online about this. Implied consent is not compliant at this moment and you should look for active, positive opt-in from your visitors.

Can I obtain consent through Terms & Conditions

No. Online sources are often wrong about this as well. Once again, positive opt-in is needed for all optional cookies.

Can I use third-party solutions available on the market to do this for me?

It depends. As mentioned in the introduction, even among the five leading consent management platforms only 11.8% out of top 10,000 British websites met the minimal compliance requirements. When using a third-party solution, don’t assume it’s fully compliant and that the provider will be responsible for any negligence. It’s still your responsibility, and they likely cover it in their contract with you. When you choose a service provider for consent management, you should still verify whether it’s fully compliant.

Can I rely on the user’s browser settings to block cookies?

No. You can’t assume all visitors have the capability and know-how to block cookies. This would also go against the requirement of positive opt-in, as you would be pre-loading cookies before obtaining consent.

Can the optional cookie categories in my consent mechanism be pre-checked – but not pre-loaded?

No. According to ICO’s guidelines, this is not a form of positive opt-in, even if you only preload the cookies after the user accepts the selection. Visitors have to actively select these cookies.

Do I need to obtain consent for every cookie separately?

No. You can group cookies into relevant categories, as long as you clearly explain your choice and inform visitors which cookies belong to the categories of your choice.

Spotted an outdated recommendation or have more questions? Let us know

We’re doing our best to keep the article up-to-date with the current guidelines. However, if you spot a discrepancy or have additional questions, please get in touch with Dawid. He’ll answer your questions and we’ll consider including them in the article to help others as well.

Please note that our advice isn’t legally binding. For more complex enquiries, please contact ICO directly. They offer a variety of contact channels – live chat, e-mail, and over the phone.

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.