Is it me or has technology taken a word once filled with the promise of joy, delight and choc-chip packed goodness, and made it confusing and un-appetising?
Technological cookies are simple yet powerful little things if used correctly, however the legislation around them has been constantly evolving, leaving once confident minds boggled and bemused
To smooth your furrowed brow, we have created a super quick guide to cookie policies (with special deference paid to the ICO’s new GDPR guidelines) to help steer you in the right direction…
Giant disclaimer before we begin: we are not your legal department, and this is just advice based on publicly available online sources. Please seek the proper legal advice where necessary.
Please explain cookies…
Cookies are little bits of data ‘dropped’ from a website to the browser’s computer where it is stored for future use. We like to think of them as the internet’s memory.
They are used to recall certain information and behaviours, to gather web analytics, and provide web users with a more tailored, engaging and personal website experience.
There are two types of cookie (yum)
The first are session cookies, which expire once a user has shut down their browser.
The second are persistent cookies, which stay on a browser until the cookies are manually ‘forgotten’ by the user, or their expiry date is reached.
Cookies can either be dropped directly from your website (first party) or third party from another domain working on behalf of you (your Kulea cookie would be considered a third party)
Some websites use this information to stalk their users around the internet with constant, irrelevant and untimely communication, therefore giving the little cookie a bad name (no, we’re not looking at you Facebook/Google – honest).
SO, tell me the protocol now…
First things first, cookies are not actually directly related to GDPR rules, they fall under PECR (The Privacy and Electronic Communications Regulations).
Although PECR does run alongside both GDPR and DPA (the Data Protection Act 2018) PECR rules take precedence over them so look at PECR compliance before looking into the other two.
(Read more about it here: What is the relationship between PECR and the GDPR?)
Important: “PECR applies to any technology that stores or accesses information on the user’s device. This could include, for example, HTML5 local storage, Local Shared Objects and fingerprinting techniques. PECR also applies to technologies like scripts, tracking pixels and plugins, wherever these are used. ”
But it does want you to tell your users about your cookies and give them the choice to let you store and use the information.
Remember, the more transparent and accountable you are about your privacy and data, the more likely your users are going to trust you!
- Tell people about cookies.
- Say what cookies will be set.
- Explain what the cookies will do and how you intend to use them
- Obtain consent to store cookies on devices.
Here is an example we have taken from the ICO guide:
WATCH OUT: Recital 32 of the GDPR bans pre-ticked boxes (and similar things like pre set sliders etc) also, silence or inactivity does not constitute consent.
There is a whole section on how to comply with the cookie rules in the guide.
Are there any exemptions?
PECR has two exemptions to the cookie rules: Regulation 6(4) states that:
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information – (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Please note: You cannot pre-enable these non-essential cookies!
So what about the rules around processing the data obtained by cookies?
This is a big section and one that is very relevant to your digital marketing, from an analytical point of view and from a content delivery point of view:
PECR has rules for the storing of information, or accessing information stored, on user devices. It does not contain any specific rule for prior or subsequent processing operations involving this information.
So, where personal data is involved, it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies. However, you, will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing that data with third parties.
And the Kulea advice is…?
Kulea advises you brush up on your GDPR and DPA knowledge as well as your PECR knowledge!
If you are in the process of creating a new online service then you can carefully plan out your cookie practice and if you are already up and running then it is always good to now run a cookie audit.
Hiring a 3rd party solution to look after your cookies for you can take a lot of the stress away.
We have used Cookiebot so can vouch for them (we are not being paid to say that mind!) however there are others on the market… just ask Google!
There you have it, our whistle stop tour of the new cookie guidelines! Please let us know if you have any more information or would like to get in touch.