Influx Digital

Cookie Consent & Giving Visitors Control

So just what are the latest requirements for your website cookie banner and how can you ensure that your site is fully compliant? Here’s an essential guide.

Both website owners and visitors alike will no doubt be familiar with the pop-up notice that appears on most websites informing you about the use of cookies. However, since the new GDPR legislation came into force in May, you will have seen that most websites have updated their notices – many of them very prominently.

There seems to be, however, a great deal of variation from site to site. So just what are the latest requirements for your website cookie banner and how can you ensure that your site is fully compliant? Here’s an essential guide.

What exactly are cookies?

Before delving deeper into the rules and regulations surrounding cookie banners, let’s make sure that we have a clear understanding of what exactly cookies are.

Cookies are essentially a kind of short-term memory for the web. They are stored as tiny, harmless files in your browser and enable a site to ‘remember’ little bits of information between pages or visits. They are widely used to support website functionality – for example when you log in as a user. In this example, the use of cookies is essential to allow the website to function properly (strictly necessary cookies).

Cookies are also used to make the web experience more personal and to allow operators to monitor usage and performance (performance and functional cookies), which is generally seen as a positive thing.

Finally, some cookies collect data across many websites, creating behavioral profiles’ of people. As a common example, these profiles can then be used to decide what content or adverts to show you (targeting cookies). Whilst there is generally nothing malicious in this, it has been widely agreed for a long time that users have a right to be fully informed.

Before GDPR – The original Cookie Consent law

The idea of the Cookie Banner is not new. It was first made mandatory under an EU Directive that was adopted by all EU countries in May 2011. The Directive gave individuals rights to refuse the use of cookies that reduce their online privacy. Each country then updated its own laws to comply. In the UK this meant an update to the Privacy and Electronic Communications Regulations (PECR).

The requirements under PECR were to ensure that visitors could find out what cookies were in use, tell them how cookies would be used, obtain consent and give them some control.

In reality, whilst most websites did their best to comply at a minimum level, there is little record of any action being taken to enforce the requirement and it was very much approached as a check-box exercise.

GDPR and Cookies

When it comes to the new General Data Protection Regulation commonly known as GDPR, it is interesting to note that cookies are only actually mentioned once in the 88 pages that form the legislation. However, the exact wording is of crucial importance:

(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In the context of the legislation, this has to be interpreted as follows: when cookies can identify an individual, it is considered personal data and must be handled according to the wider legislation and the definitions contained within it.

Applying this definition, the problem with cookies is twofold. Firstly, cookies can provide a great deal of insight into your activity and preferences, and this data can be used to identify you without your explicit consent, effectively compromising your privacy as a user. Secondly, many cookies originate from third party websites, leading to the question of who has access to this data, where it goes and what it is used for.

If your website or organization processes data that is (a) directly personal, or (b) can be combined or singled out to identify an individual, then it must be revised to meet the requirements – and that includes how cookies are handled. It is worth noting that this is not limited to names, email addresses, etc either – IP addresses are equally considered to be personal data.

The new cookie notice – Requirements and best practice

In order to fully satisfy the requirements of GDPR, there are several key questions that need to be satisfied:

Is the visitor fully informed?

Most of the old-style cookie banners simply stated ‘Cookies are used on this website’ with an ‘OK’ button and vanished on scrolling. Some included a link for further information.

Under the new regulations, the cookie notice must inform the visitor, meaning that it is necessary to provide more detail as to what cookies are collected and why, in a way that allows the user to understand what they would be giving their consent for.

In the example at Influx.com, the banner shown below appears on the first load of the page. It gives the visitor a clear choice – accept and continue browsing or view cookie settings to exercise their right to control the use of personal data.

If the visitor wishes to get further information or manually update their settings, choosing the Cookie Settings option will then provide access to the Privacy Preference Centre, which gives all the information the visitor requires to make an informed decision, as well as a link to a comprehensive resource for further information.

Does the visitor have a true choice?

Firstly, only presenting an ‘OK’ button does not constitute a true choice of actions for the visitor and is not good practice. Not only does it not respect choice, it also implies that consent will be given – something that should be avoided. Finally, it should still be possible to use the website if non-necessary cookies have been rejected.

To use our cookie notice as an example once again, if the visitor decides they are not happy to proceed and instead chooses to visit the Privacy Preferences Centre, they are offered a genuine choice over which non-essential cookies are agreed to, including performance cookies, functional cookies and targeting cookies, all of which can be turned off as desired by the visitor.

Is consent given prior to the processing of personal data?

It may seem like an obvious consideration, but it is not always as clear-cut as it might first appear. To be truly compliant, the website shouldn’t allow any cookie related scripts to run until consent has been given.

Is the consent withdrawable?

According to GDPR, consumers have a right to withdraw consent at any time, and this extends to cookies. It must, therefore, be made clear how a visitor can change their mind and withdraw consent even if they have initially agreed.

On the Influx website, both the Privacy Policy and Cookie Policy are always available in the footer area, allowing the visitor at any time to review their settings and providing full and detailed information about all cookies in use on the site.

As you can see in the screenshot below, our Cookie Policy is not simply a generic template – it provides a comprehensive list of the cookies used on this specific website, including their category, purpose and name. Whilst many websites previously used templates for this purpose, this is no longer an appropriate practise under GDPR.

Here at Influx, we are committed to helping both new and existing customers to be confident that their website is fully compliant with GDPR. To find out more about how our experts can help you, click here to contact us online or call us today on Manchester 0161 468 2612 or Shrewsbury 01743 626162