← Back

Share this

Some clients have been asking us about the Cookie Law, what it is and how it affects their business. There hasn’t been too much talk about this and information first published by the ICO was confusing and offered little guidance on how website owners should comply.

What is a ‘Cookie’?

So, first things first, what is a Cookie? Well, where websites are concerned, a Cookie is a small file consisting of letters and numbers that are written by a website and stored on the device of a user accessing it. There are many different types of Cookies; some are deleted as soon as the user leaves the website, yet some remain on the device for set periods of time, whilst others remain until they are deleted manually by the user. The purpose of these small files is to monitor user behaviour, commonly used for analytics to improve website performance, or for delivering targeted advertising. Others are essential to the operation of a website; for example, an ecommerce website uses Cookies to remember what a user has placed in their shopping basket as they move from page to page on the site.

What is the ‘Cookie Law’?

The ‘Cookie Law’ is a new privacy legislation that requires websites to get consent from a user prior to any files being written to or retrieved from their device. In this case, a user's device being used to browse the internet such as a PC, laptop, tablet or mobile phone. This new legislation was passed in the EU to make users aware of how information is collected about them by websites. The UK has now updated its Privacy and Electronic Communications Regulations to bring this EU directive into law.

Good and Bad Cookies

First, you would need to identify the Cookies your website uses and whether these are first party or third party Cookies. First party Cookies are those used by your own website and pose the least risk in terms of privacy. These are very often essential to the operation of a website. The other type is a third party Cookie, which are the main reasons the new legislation was introduced. Examples of bad third party Cookies are those that track user behaviour once they leave a site, monitoring the websites they visit and gathering data which is then used to deliver targeted advertising based on this data. The second thing to consider is how long a Cookie remains on a user's device once it’s been written. Some contain the instruction to delete themselves when a user leaves the website, whereas others will remain on a device for weeks, months or even years in some cases. With all this in mind, it’s a good idea to break down Cookies into categories which helps to clarify the risk they pose;

Category 1 – Strictly Necessary Cookies
These Cookies are first-party and are Zero Compliance Risk. These are Cookies that are essential to enable users to move around the website and use its features. Another Cookie of this type would be a ‘Session Cookie’, used for the operation of shopping baskets on ecommerce websites. Without these Cookies, key website features could not be provided.

Category 2 – Low Compliance Risk Cookies
These are again first-party Cookies and used to improve/aid the website's operation and perhaps for collecting website analytics data. So, essentially these are Performance Cookies, which are low risk as they remain on a user's device once they leave a website, but cannot personally identify a user. In the case of analytics, this would be for gathering anonymous data for statics of the website usage and what pages are visited.

Category 3 – Medium Compliance Risk
These are usually first-party Cookies that remain on a user's device once they leave the site. These are used to identify the user returning to the site and used to deliver personalised content based on their behaviour at their last visit or perhaps choices they have made on the site. Examples of this may be selection of their preferred language or delivering weather reports based on their location. These Cookies are not used to track user behaviour on other websites.

Category 4 – High Risk Compliance
These are usually third-party Cookies and are those which remain on a user's device once written. These are used to track and record visitors' interests, gathering data used to deliver adverts that are relevant to the users browsing. These Cookies are usually applied by third-party applications that have code embedded on a website. An example of this is Google Ads, Google Maps and YouTube Videos. When users watch videos, other ‘related’ videos are delivered based on the subject of the one that has been watched.

How to Comply

It is the website owners responsibility to ensure that their website complies with UK law and it is recommended that a website Cookie audit is carried out to identify what’s required to make a website compliant. Your web design services provider would usually carry out this as a service and can make recommendations on what should be implemented. Once your audit is complete, there are two methods of compliance;

Explicit Opt-in/Opt-out

This would be applied if there is heavy use of third-party Cookies on a site with lots of advertising and social media connectors. In this case, users would need to be provided with the option of opting in or opting out of receiving Cookies. This would be a notice that is made prominent to users and providing them with access to your Cookie Statement. Users are able to opt out and prevent Cookies from being written to their device. This will prevent the collection of analytical data too, even though users are still accessing your website.

Implied Consent

If a site uses Cookies that are used to improve functionality, for example, Facebook like buttons and performance monitoring such as Google Analytics, then a site may be compliant providing a clear notice is available for users to access. This would provide information on the Cookies used, why they are there and what data they collect. The statement would advise users that they must only use the website if they agree to have the identified Cookies placed on their device.

It’s vital that websites take steps to comply with this law and there has been a degree of flexibility built in to accommodate the level of risk each Cookie type may pose to a user's privacy. If you would like to ensure your website is compliant, contact your web design company and ask for advice on the steps you would need to take.


Categories: Articles, Business, E-Commerce, Web Design

subscribe newsletter

Never miss a post

Get free digital marketing intelligence and advice from our experts, directly to your inbox.
Have an upcoming project?