Taming the Cookie Monster
May 5, 2021
How many websites have you visited where you are immediately faced with this pop-up message –
The exact wording varies from site to site, of course. Some of them provide a big green button marked “Accept” for us to use. We click it and it makes us feel, somehow, that we are still in control. But the truth is that we have just been offered a very stark choice. The message is – either accept our cookies on your device or get off our website!
But two thoughts arise (at least in this data privacy nerd’s mind!) –
The first is that the idea of being able to give or refuse our consent to people doing things to our devices (and generally respecting our privacy) is probably quite important; and secondly, that the sort of message I’ve quoted above doesn’t offer us much of a choice at all really, does it (even if the message is more politely worded than my interpretation might suggest)? Why should I be refused access to the website just because I don’t want ‘cookies’ put on my ‘phone or laptop? I want to be free to choose.
Some might say they aren’t too bothered about cookies. They might take the fairly languid view that, since ‘cookies’ are just bits of code, an essential part of web technology, we should all just put up with them and move on.
But it turns out that not all cookies are the same! Whilst it is true that many types of cookie are indeed essential to the architecture of a website and without them not all the website’s features would work properly. But many other ‘cookies’ are far from essential to the basic functioning of the site.
So, what are these “non-essential cookies” exactly?
The answer is, they come in all shapes and sizes from “session cookies” to “persistent cookies” ; “first party cookies” to “third party cookies”; “beacons” to “tracking pixels” embedded in emails.
They are widely used to increase the impact of digital marketing and the collection of data about our shopping and other ‘preferences’. They tell retailers and others what type of device we use when we shop with them online and they tell them what kinds of product or services we are likely to buy. The website owner will sometimes mention that the share this information with ‘third parties’ or ‘partners’ (which makes it all sound fairly friendly), but more often than not they will neglect to tell us who these ‘partners’ are and exactly what they might do with the information they collect. Suddenly the ‘cookie’ seems less like a harmless, technical necessity and more like an unwelcome interloper, put there to harvest our information and create a detailed personal profile. More a monster than a friend.
What we website visitors and internet shoppers need to know is that many of these cookies utilise (‘exploit’ if you prefer) our ‘personal data’. As a result, the Data Protection Act 2018 and UK GDPR apply to their use.
In addition, even purely functional cookies used by website owners are regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended). These regulations are there to protect us from unscrupulous, unwelcome, unsolicited electronic surveillance of our devices and habits.
For website visitors and online shoppers here’s the rub: No one is allowed to put non-essential cookies on our devices without our explicit consent.
For website owners and internet retailers – putting a non-essential cookie on a visitor’s device is unlawful unless you can show that you obtained their specific consent, obtained at their first point of contact with your site. That consent must also be a “freely given…informed and unambiguous indication of the [individual]’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of [their] personal data…”. This is the legal test.
A pop up message that simply says “if you want to use our website you have to accept our cookies” (or words to that effect) will not meet that legal test and the website owner will not be able to show they have obtained the necessary consent. They can face hefty fines from the Information Commissioner’s Office (ICO).
It’s a good time to check what cookies your website might be using. A thorough audit will help you remove cookies you don’t really need (whether they are your cookies or a third party trading partner’s cookies) and it will help you give your customers the information they are entitled to in your privacy notice and the mechanism by which they can signify their consent. A pre-ticked box will never be sufficient.
Tim Heywood FRSA is a Partner in Gunnercooke llp specialising in data privacy, information and cyber law.
The contents of this blog are for guidance and illustrative purposes only. They are not legal advice and must not be relied on as such. Specific legal advice should be obtained on your particular circumstances.