PECR, GDPR and consent
In May 2018, General Data Protection Regulation (GDPR) came into effect and led to change to how businesses and organisations handled the data they held on their customers or members. At the heart of this was the need to get consent to communicate with people. This now applies to your site, in the form of cookies.
Cookies are text snippets that remember who you are by saving a small amount of information in your browser. They are used in thousands of ways, from Google Analytics to screen reading services, or marketing systems to maps.
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
Cookies are covered by the Privacy and Electronic Communications Regulations (PECR), which is now using the standard of consent from GDPR.
Consent must be clear
- Positive action must be taken for consent
- No pre-ticked boxes
- Clearly explain the cookies that will be set and what they do – including any third party cookies and strictly necessary cookies
- Strictly necessary cookies are defined as those that are part of the functionality that the user requests when they use your online service. If the service would run without a given cookie, then it is not strictly necessary, it is non-essential.
- Users must have control over any non-essential cookies
- Non-essential cookies must not be set on landing pages before you gain the user’s consent
If the service would run without a given cookie, then it is not strictly necessary, and by this definition, the legitimate interests argument that is applicable to email communication is not applicable.
A cookie wall is a popup that is being placed on a website to inform users about the cookie use on the website, without a reject option. The higher level of consent must be given to cookie walls, but the extent to which a cookie wall can be used itself has yet to be determined. This shall be worked on in the coming months by the ICO.
Your cookie page
You will have a page that contains the following information:
- List the cookies you use, their name and purpose
- Clearly label strictly necessary cookies and the context
- Explain how users can change their cookie settings as consent is not freely given if it cannot be revoked
- Your cookie page, social media and retargeting
You need to update your cookie page and social media account pages to explain that your website may set cookies about them.
Social media and retargeting platforms
Social media and retargeting platforms add cookies for their platform after they’ve left your website to give you usage and engagement stats. Even though you don’t control those platforms’ cookies, you do control whether you have an account, and the stats you see.
This means you and the platform are jointly responsible for deciding the purpose and the processing of data. This means you are a joint data controller with them for this activity. You may only see anonymised or aggregated stats but the platform will create these with personal data.
As not everyone visiting your social media accounts from your website will be a logged-in user, you need to ensure that they are provided with appropriate information before they visit.
- Update your privacy notice with references to social media accounts
- Explain how they control non-essential cookies once they visit there
- Provide information about the processing of any personal data
- Include this information on the platform with a link back to your privacy notice
NDP PECR Audit
First, we will run a cookie scan on your website, in order to identify all the cookies that can be set by all the pages and elements of the site. We review the results of the scan and categorise all the cookies identified across three categories:
- Essential (which is defined as essential to the proper functioning of the website from the user's perspective). For instance, cookies necessary to track the items that a user has added to their shopping cart on the site.
- First party: cookies directly set by the website (for instance, Hotjar or Google Analytics cookies).
- Third party: cookies set by other services, via embedded elements on your site (for instance, cookies set by Google when a user views a YouTube video embedded on your site, or by Facebook/Twitter if a user clicks a social sharing button on one of your site's pages).
Finally, we will review each cookie, how it is set and how we can block it (if it is non-essential and a user chooses to reject cookies). At the end of this process, we will deliver the conclusions of our Cookie Audit to you, which will include our recommendations on how to manage the cookies on your site.