Do I need a cookie policy?

Yes, as a UK-based business you will almost certainly need a cookie policy.

Here’s the official position:

The UK’s General Data Protection Regulation (UK-GDPR) applies to all websites with users from the UK and European Union, so if your website uses cookies for online tracking, personalisation, and improved performance you will want to know you are meeting GDPR and the ePrivacy Directive (ePR) requirements. It’s also useful to be open about the data your website collects and shares with third parties for compliance with the California Consumer Privacy Act (CCPA).

That’s quite a lot to take in.

What are cookies?

Cookies help to create more personal and convenient website experiences and are also valuable for targeted advertising. They are small text files stored in a user’s browser that collect data when they visit a site. Only the website server that created a cookie can read and use the information.

While cookies can’t be used to access someone’s identity or personal information, they can retain login details for a particular site and what has been placed in a  shopping cart, for example. When you use these files, you can give the impression that your site ‘remembers’ someone when they return to improve their online experience.

However, when cookies are used to track online behaviour for advertising people find it intrusive. This is why cookies are recognised as ‘online identifiers’ and consent is needed before they are used.

Types of cookies

Session cookies are temporary and are deleted when users leave your site. Persistent cookies, as you would guess, stay in someone’s browser memory for the duration set by the cookie.

There are also different types of data gathering cookies. Visitor preference cookies store information about whether a user has agreed to your cookie policy. If they have agreed these cookies prevent future pop-up messages appearing. Operational cookies help to make web pages work properly so they can’t be deactivated. Analytic cookies are used anonymously for research and to improve user experiences and users can reject them.

First-party and third-party cookies

First-party cookies are the ones you can use for analytics on your website, to remember a user’s log-in and language settings, and to improve user experiences.

Third-party cookies are created by other domains beyond the website or domain that someone is visiting. These can be used by any website that uses the third-party server’s code and they are usually used for tracking and online advertising. This is why people often see advertisements for things they have recently searched for online. The tracking data stays on a user’s computer even after they have closed their browser and ended their session.

Cookies are changing

Google plans to stop using third-party tracking cookies on its Chrome browser this year. They will be replaced with a group profiling system which the company says will create a ‘privacy-first’ web.

While browsers like Firefox and Safari no longer use third-party cookies, Google is the first to produce an alternative for advertisers. Instead of tracking and targeting individuals, Google’s approach adds users to groups of people with similar interests which it says will be an effective tool for advertisers. However, the technology uses artificial intelligence (AI) to create these cohorts of users, and AI is known to confirm bias we find in the wider community.

Effectively, this is a shift from individual tracking to wider profiling. It raises questions about the ongoing use of cookies but is also leading to new concerns about how information on online behaviour is used. There’s no doubt there will always be something new to learn on this front.

It’s not about the information but how it’s used

Cookies don’t hold personal information and they aren’t necessarily bad. However, people are understandably concerned about their use for advertising and marketing. Many feel they weren’t properly informed about how cookies were used in the beginning, which means they aren’t widely trusted today.

To meet data protection requirements your cookie policy should include a pop-up message or banner that appears the first time a visitor browses your website. It should tell users what cookies are active on the site, their purpose, and what happens to the data, including the names of third-parties that receive cookie data.

In the UK, as part of the Privacy and Electronic Communications Regulations, your visitors must give their consent for you to collect and store this data. As a result, your cookie policy must do more than simply inform users that they exist. Your visitors must also have the option to adjust cookie settings or reject optional cookies all together.

You should also publish a privacy policy on your website to explain how and why data is collected and used. Your cookie policy must be included, although it can also be published as a separate statement.

If your website doesn’t comply with UK-GDPR you risk a fine or further legal action from The Information Commissioners’ Office (ICO).

How to meet your cookie policy obligations

We have partnered with the Cookiebot team to make sure our clients’ websites effectively manage cookie consent, monitoring and control. When visitors first arrive at your website, they will see a clear and easy to use pop-up banner where they can accept or reject your cookies and you can tailor your messages to suit your needs.

Our team will always be happy to give you advice about your design, branding and digital requirements, so please get in touch.