When you use google analytics on your website to understand your customer demographics or when you put facebook share button on your content, you place a cookie on your website visitors’ devices.
If your website is accessible to UK users, it is likely that you will have to comply with both UK GDPR (General Data Protection Regulation) and UK PECR.
What Are Cookies?
Imagine that your prospects visit your website and fill out the online form to sign up for your service. If the online form includes multiple web pages, your website needs to be able to remember all answers prospects previously provided. This is necessary for them to submit the sign-up form successfully.
Therefore, your website needs functionalities to help your visitors easily navigate on the website.
This is where cookies come into picture: Cookies are small text files that is placed on the end-user’s devices. When a user visits a website again, the cookies help websites remember the user and choices he made. Furthermore, it enables website features to function properly.
However, use cases of cookies are not limited to website functionality. Cookies can also be placed on user devices for other purposes such as data analytics, advertisement and tracking.
For example, google analytics is a common cookie used to analyse website traffic and user behavior on websites.
Among these categories of cookies, tracking cookies are highly popular. In fact, a recent study found that over 90% of all websites scanned contained at least one tracking cookie.
One common example of tracking cookies is Facebook Pixel. When you use Facebook Pixel on your website, you can collect information about the actions your visitors take on your website. Furthermore, you can measure the effectiveness of your ad campaigns and even retarget your website visitors.
Let’s take a deeper dive into different categories of cookies and provide specific examples.
What Types Of Cookies Are There, And What Do They Do?
Cookies can be categorised based on various criteria. In this section, we will focus on two main ways used to categorise cookies.
These cookies make it possible for visitors to access and use features of a website and enables website to operate properly.
The UK Data Protection Authority (ICO) gives following examples for strictly necessary cookies:
“Cookies that are essential to comply with the UK GDPR’s security principle for an activity the user has requested – for example in connection with online banking services”
“Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)”
There are also other cookies that fall under this category such as:
Cookies that enable visitors to navigate across a website
Cookies that make it possible for users to log in to a website.
(ii) Analytics cookies
This category covers cookies that is used to collect data about how visitors access and use a website. For instance, analytics cookies collect information about how long visitors stay on specific web pages, from which sources they come to visit a website and what types of actions they take on website, such as clicking on specific content.
(iii) Targeting cookies
Targeting cookies are used to collect information about certain website visitor groups and then create profiles to serve these visitors with targeted ads. For example, these cookies may collect information about the location of a visitor, his/her device, screen dimensions and source url to put him/her in a specific category. Based on this profile, specific visitors are served with targeted ads.
Targeting cookies can be placed both by the website itself or by third parties.
Cookies provided by social networking sites such as Facebook, Twitter, Instagram or Pinterest also fall under this category.. These cookies enable social media platforms to provide personalised content and targeted ads to their users.
Following are examples of targeting cookies provided by social media platforms:
These cookies remain on your website visitor’s device even after visitors leave your website. Persistent cookies enable your website to remember visitors’ choices and their actions between different website visits.
For example, google analytics cookie distinguishes different visitors to a website and each session and it is stored permanently.
(ii) Session cookies
Session cookies are temporarily stored on user devices during the visitor’s session and it expires when visitor leaves your website.
When you place cookies on your website visitors’ devices, you need to provide clear information to them about what cookies are used, what these cookies do and how long they state on user's device.
Bear in mind that you will be automatically subject to this transparency requirement so long as you have active cookies on your website. Even when you do not collect the personal data of your visitors or you anonymise their personal data, cookie rules will still apply to you.
The ICO requires that you must inform users about the following:
How to obtain consent for UK Cookie law compliance?
The UK ICO requires that your consent mechanism provide users with total control over all cookies present on your website, including third-party cookies.
One of the most prevalent consent mechanisms in practice is cookie consent banner. This banner allows your website visitors to consent to the use of non-necessary cookies such as analytics and targeting cookies.
The ICO can fine directors (rare but possible) of an organisation or the organisation (more common) itself up to £500,000 for failure to comply with cookie transparency requirements.
In the past, different data protection authorities slapped both small and big businesses with fines for failure to comply with cookie rules.
For example, the French Data Protection Authority fined Google in the amount of 150 million euros because Google did not make the “rejection of cookies” as easy as accepting them.
In Spain, the Data Protection Authority imposed an 18,000 Euros fine on Vueling because website users were unable to reject cookies.
In addition to the legal fines you face, there is another invaluable cost you may have to pay when you do not comply, the loss of your customers’ trust.
Building this trust can be key to increasing your customer retention rates and creating a better public image.
You need to have a clear idea about what cookies are active on your website,
This is where Privasee can help.
- Mapping your active cookies: The Privasee portal takes your personal data map and creates policies/cookie banners from this information.
To comply with the GDPR-PECR cookie requirements without expending excess resources, try Privasee Platform here.
Wrap Up & Key Takeaways
Alex Franch is the co-founder and CEO of Privasee. With a background in computer science and cybersecurity, it is no surprise that he is a highly analytical problem solver; now putting these skills to use within the data privacy space. Alex is passionate about GDPR, and productivity and spends a lot of time doing sports as he values the importance of having a work-life balance. He is excited to help businesses generate documentation, and become and maintain GDPR compliance through the Privasee platform.
Get Compliant in <1 Hour
Are you Fully GDPR Compliant?
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.