When you use Google Analytics on your website to understand your customer demographics or when you put the Facebook share button on your content, you place a cookie on your website visitors’ devices. If you use such tools on your website, you may be asking yourself “Do I need a cookie policy on my website?”
If your website is accessible to UK users, it is likely that you will have to comply with both UK GDPR (General Data Protection Regulation) and UK PECR. To comply with these laws and regulations, you should have a cookie policy on your website.
In this article, you’ll learn about how cookies work and the legal requirements for a cookie policy under the UK Law.
Interested to find out how you can create a Cookie policy for UK GDPR? Read more.
What Are Cookies?
Imagine that your prospects visit your website and fill out the online form to sign up for your service. If the online form includes multiple web pages, you must remember all answers prospects previously provided. This is necessary for them to submit the sign-up form successfully. Your will need functionality to allow your visitors to easily navigate the website.
This is where cookies come into the picture: Cookies are small text files placed on the end-user’s devices. When a user visits a website several times, the cookies remember the user, the actions they performed and the choices they made. Furthermore, it enables website features to function properly.
However, cookies don't only provide additional website functionality, they are also placed on user devices for purposes such as data analytics, advertisement and tracking.
For example, Google Analytics is a common cookie used to analyse website traffic and user behaviour on websites.
Among these categories of cookies, tracking cookies are highly popular. In fact, a recent study found that over 90% of all websites scanned contained at least one tracking cookie.
One common example of tracking cookies is Facebook Pixel. When you use Facebook Pixel on your website, you can collect information about the actions your visitors take on your website, measure the effectiveness of your ad campaigns and even retarget your website visitors.
Let’s take a deeper dive into different categories of cookies and provide specific examples.
What Types Of Cookies Are There, And What Do They Do?
Cookies can be categorised based on various criteria. In this section, we will focus on two main ways used to categorise cookies.
Cookie types by their use cases
(i) Necessary cookies
Necessary cookies are “essential to provide the service requested” by the website visitors. These cookies make it possible for visitors to access and use features of a website and enables website to operate properly.
For strictly necessary cookies, you do not need the consent of website visitors under the UK Law. However, your cookie policy still needs to list these cookies and explain how they work.
The UK Data Protection Authority (ICO) gives following examples for strictly necessary cookies:
- “Cookies that are essential to comply with the UK GDPR’s security principle for an activity the user has requested – for example in connection with online banking services”
- “Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)”
There are also other cookies that fall under this category such as:
- Cookies that enable visitors to navigate across a website
- Cookies that make it possible for users to log in to a website.
(ii) Analytics cookies
This category covers cookies used to collect data about how visitors access and use a website. For instance, analytics cookies collect information about how long visitors stay on specific web pages, from which sources they come and the actions they take on website, such as clicking on specific content.
(iii) Targeting cookies
Targeting cookies are used to collect information about certain website visitor groups and create profiles to serve these visitors with targeted ads. These cookies may collect information about the location of a visitor, their device, screen dimensions and source url to place them in a specific category. Based their profile, visitors are served with targeted ads.
Targeting cookies can be placed both by the website itself or by third parties.
Cookies provided by social networking sites such as Facebook, Twitter, Instagram or Pinterest also fall under this category. These cookies enable social media platforms to provide personalised content and targeted ads to their users.
Some examples of targeting cookies provided by social media platforms include:
- Facebook “Like” button: When a person visiting your webpage clicks the Like button, an App Event is triggered to log this like on Facebook.
- LinkedIn “Share” button
Cookie types by session
(i) Persistent cookies
These cookies remain on your website visitor’s device even after visitors leave your website. Persistent cookies enable your website to remember visitors’ choices and their actions between different website visits.
For example, Google Analytics cookie distinguishes different visitors to a website, each session, and it is stored permanently.
(ii) Session cookies
Session cookies are temporarily stored on user devices during the visitor’s session and expire when the visitor leaves your website.
What To Include In Your Company's Cookie Policy
When you place cookies on your website visitors’ devices, you need to provide clear information to them about what cookies are used, what these cookies do, and how long they stay on user's devices. Therefore, you should craft a cookie policy that contains all these details so that you do not fall foul of the UK requirements on cookies.
When you use cookies on your website, you will have to comply with the PECR article 6 and provide visitors with “clear and comprehensive information” about the cookies.
Bear in mind that you will be automatically subject to this transparency requirement if you have active cookies on your website. Even if you do not collect visitors' personal data or anonymise it, cookie rules will still apply to you.
Although the PECR article 6 does not specifically describe what your cookie policy should include, it sets the following requirement: You must provide the information about cookies in accordance with data protection law, which includes the GDPR.
Luckily, the UK Data Protection Authority ICO (Information Commissioner’s Office) clarifies what your cookie policy should include.
What to include in your cookie policy?
The ICO requires that you must inform users about the following:
- The cookies you place on user devices;
- the purposes for the use of each cookie;
- “Any third parties who may also process information stored in or accessed from the user’s device”;
- the duration for each cookie or cookie category,
- How users can disable cookies
How to obtain consent for UK Cookie law compliance?
While cookie policy goes a long way towards cookie law compliance, it is not enough to protect you from violating cookie rules: When you obtain consent from website visitors to place cookies on their devices, you need to implement a consent mechanism and and this mechanism must satisfy certain conditions.
The UK ICO requires that your consent mechanism provide users with total control over all cookies present on your website, including third-party cookies.
One of the most prevalent consent mechanisms in practice is cookie consent banner. This banner allows your website visitors to consent to the use of non-necessary cookies such as analytics and targeting cookies.
What are the consequences of not having a cookie policy in place, or of not complying with GDPR regulations?
If your cookie policy fails to comply with the UK GDPR and/or the PECR, you may face the following fines:
- The ICO can fine directors (rare but possible) of an organisation or the organisation (more common) itself up to £500,000 for failure to comply with cookie transparency requirements.
- If your cookie policy fails to comply with the UK GDPR transparency requirements, you may face a fine in amount of £17.5 million or 4% of your total annual worldwide turnover in the preceding financial year, whichever is higher.
In the past, different data protection authorities fined both small and big businesses for failure to comply with cookie rules.
For example, the French Data Protection Authority fined Google in the amount of 150 million euros because Google did not make the “rejection of cookies” as easy as accepting them.
In Spain, the Data Protection Authority imposed an 18,000 Euros fine on Vueling because website users were unable to reject cookies.
In addition to the legal fines you face, there is another invaluable cost you may have to pay when you do not comply, the loss of your customers’ trust.
In fact, according to a recent Study by Cisco, consumers list “transparency” as the key factor to build trust when it comes to transparency. By having a GDPR-compliant cookie policy, you may demonstrate to your customers that you are open about how you use cookies and handle their personal data.
Building this trust can be key to increasing your customer retention rates and creating a better public image.
How do I create a cookie policy for my website
Considering the risks of a non-compliant cookie policy, you need to have a GDPR-PECR compliant cookie policy that shield both you from legal liability and that can earn your customers’ trust.
However, crafting a compliant cookie policy is easier said than than for a few obvious reasons:
- You need to have a clear idea about what cookies are active on your website,
- You need to constantly adopt your cookie policy to reflect the changes to active cookies,
- You need to provide your cookie policy in languages of people who are your target audience.
To overcome these difficulties and create GDPR compliant cookie policy that earns your customers’ trust, you need help from an expert.
This is where Privasee can help.
Privasee is your one-stop solution to overcome these challenges and implementing a GDPR-compliant cookie policy in three steps:
- Mapping your active cookies: The Privasee portal takes your personal data map and creates policies/cookie banners from this information.
- Keeping up to date with global regulations: You do not need to spend thousands to make changes to your cookie policy. Privasee automatically updates your cookie policy with the information from their data map that they always keep up to date.
- Mulitiple Languages support: If your website is accessible to users in third countries that speak other language, you should have your cookie policy in those languages as well. Privasee’s policy helps you have it in multiple languages.
To comply with the GDPR-PECR cookie requirements without expending excess resources, try Privasee Platform here.
Wrap Up & Key Takeaways
In this article, we talked about what cookies are, different types of cookies and how you can achieve compliance by having a GDPR and PECR-compliant cookie policy.
Crafting a compliant cookie policy, keeping it updated and accurately mapping active cookies on your website is tricky but not impossible:
Privasee can help you overcome these hurdles.
Book your Free Audit today, craft your cookie policy in multiple languages and see it in action!
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.