PECR, GDPR and consent
In May 2018, General Data Protection Regulation (GDPR) into effect and led to change to how businesses and organisations handled the data they held on their customers or members. At the heart of this was the need to get consent to communicate with people. Fast forward to July 2019, and the ICO publishes its guidance on how this applies to your site, in the form of cookies.
Cookies are text snippets that remember who you are by saving a small amount of information in your browser. They are used in thousands of ways, from Google Analytics to screen reading services, or marketing systems to maps.
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
Cookies are covered by the Privacy and Electronic Communications Regulations (PECR), which is now using the standard of consent from GDPR.
Consent must be clear
- Positive action must be taken for consent
- No pre-ticked boxes
- Clearly explain the cookies that will be set and what they do – including any third party cookies and strictly necessary cookies
- Strictly necessary cookies are defined as those that are part of the functionality that the user requests when they use your online service. If the service would run without a given cookie, then it is not strictly necessary, it is non-essential.
- Users must have control over any non-essential cookies
- Non-essential cookies must not be set on landing pages before you gain the user’s consent
"If the service would run without a given cookie, then it is not strictly necessary, and by this definition, the legitimate interests argument that is applicable to email communication is not applicable."
A cookie wall is a popup that is being placed on a website to inform users about the cookie use on the website, without a reject option. The higher level of consent must be given to cookie walls, but the extent to which a cookie wall can be used itself has yet to be determined. This shall be worked on in the coming months by the ICO.
Your cookie page
Your new cookie page needs to contain the following information:
- List the cookies you use, their name and purpose
- Clearly label strictly necessary cookies and the context
- Explain how users can change their cookie settings as consent is not freely given if it cannot be revoked
Your cookie page, social media and retargeting
You need to update your cookie page and social media account pages to explain that your website may set cookies about them.
Social media and retargeting platforms
Social media and retargeting platforms add cookies for their platform after they’ve left your website to give you usage and engagement stats. Even though you don’t control those platforms’ cookies, you do control whether you have an account, and the stats you see.
This means you and the platform are jointly responsible for deciding the purpose and the processing of data. This means you are a joint data controller with them for this activity. You may only see anonymised or aggregated stats but the platform will create these with personal data.
As not everyone visiting your social media accounts from your website will be a logged-in user, you need to ensure that they are provided with appropriate information before they visit.
- Update your privacy notice with references to social media accounts
- Explain how they control non-essential cookies once they visit there
- Provide information about the processing of any personal data
- Include this information on the platform with a link back to your privacy notice
NDP's Cookie Management – a one-stop solution
First up – we audit your site
First, we will run a cookie scan on your website, in order to identify all the cookies that can be set by all the pages and elements of the site. We review the results of the scan and categorise all the cookies identified across three categories:
- Essential (which is defined as essential to the proper functioning of the website from the user's perspective). For instance, cookies necessary to track the items that a user has added to their shopping cart on the site.
- First party: cookies directly set by the website (for instance, Hotjar or Google Analytics cookies).
- Third party: cookies set by other services, via embedded elements on your site (for instance, cookies set by Google when a user views a YouTube video embedded on your site, or by Facebook/Twitter if a user clicks a social sharing button on one of your site's pages).
Then we review each cookie, how it is set and how we can block it (if it is non-essential and a user chooses to reject cookies). At the end of this process, we will deliver the conclusions of our Cookie Audit to you, which include an estimate for installing our cookie blocker.
Then we add our cookie blocker
Our cookie blocker module provides a friendly interface where users can make their consent choice. It then manages the dropping or blocking of cookies as the user navigates on.
The solution is fully compliant with legislation and provides the most fuss free experience for your site visitors. Prices for installation vary depending on the number and type of cookies your site and your third party services use.