← Back

Share this

Some clients have been asking us about the Cookie Law, what it is and how it affects their business. There hasn’t been too much talk about this, and information first published by the ICO was confusing and offered little guidance on how website owners should comply.

What is a ‘Cookie’

So, first things first, what is a Cookie? Well, where websites are concerned, a Cookie is a small file consisting of letters and numbers that are written by a website and stored on the device of a user accessing it. There are many different types of cookies, some are deleted as soon as the user leaves the website, yet some remain on the device for set period of time, others remain until they are deleted manually by the user. The purpose of these small files is to monitor user behaviour, commonly used for analytics to improve website performance, or for delivering targeted advertising. Others are essential to the operation fo a website, for example, an e-commerce website uses cookies to remember what a user has placed in their shopping basket as they move from page to page on the site.

What is the ‘Cookie Law’

The ‘Cookie Law’ is a new privacy legislation that requires websites to get consent from a user prior to any files being written to or retrieved from their device. In this case a users device being used to browse the internet such as a PC, Laptop, Tablet or Mobile Phone. This new legislation was passed in the EU to make users aware about how information is collected about them by websites. The UK has now updated its Privacy and Electronic Communications Regulations to bring this EU directive into law.

Good and Bad Cookies

First, you would need to identify the cookies your website uses, and weather these are first party or third party cookies. First party cookies are those used by your own website and pose the least risk in terms of privacy. These are very often essential to the operation of a website, such as remembering the contents of a shopping basket on e-commerce sites. The other type is a third party cookie, which are the main reasons the new legislation was introduced. Examples of bad third party cookies are those that track user behaviour once they leave a site, monitoring the websites they visit and gather data which is then used to deliver targeted advertising based on this data. The second thing to consider is how long a Cookie remains on a users device once it’s been written. Some contain the instruction to delete themselves when a user leaves the website, where others will remain on a device for weeks, months or even years in some cases. With all this in mind, it’s a good idea to break down Cookies into categories which helps to clarify the risk they pose;

Category 1 – Strictly Necessary Cookies
These Cookies are first-party and are Zero Compliance Risk. These are Cookies that are essential to enable users to move around the website and use it’s features. Another Cookie of this type would be a ‘Session Cookie’, used for the operation of shopping baskets on e-commerce websites. Without these Cookies, key website features could not be provided.

Category 2 – Low Compliance Risk Cookies
These are again first-party Cookies and used to improve/aid the websites operation and perhaps for collecting website analytics data. So, essentially these are Performance Cookies, which are low risk as they remain on a users device once they leave a website, but cannot personally identify a user. In the case of analytics, this would be for gathering anonymous data for statics of the website usage and what pages are visited.

Category 3 – Medium Compliance Risk 
These are usually first-party Cookies that remain on a users device once they leave the site. These are used to identify the user returning to the site and used to deliver personalised content based on their behaviour at their last visit or perhaps choices they have made on the site. Examples of this may be selection of their preferred language or delivering weather reports based on their location.  These Cookies are not used to track user behaviour on other websites.

Category 4 – High Risk Compliance
These are usually third-party Cookies and are those which remain on a users device once written. These are used to track and record visitors interests, gathering data used to deliver adverts that are relevant to the users browsing. These Cookies are usually applied by third-party applications that have code embedded on a website. An example of this is Google Ads, Google Maps and YouTube Videos. When users watch videos, other ‘related’ videos are delivered based on the subject of the one that has been watched.

How to Comply

It is the website owners responsibility to ensure that their website complies with UK law and it is recommended that a Website Cookie Audit is carried out to identify what’s required to make a website compliant. Your Web Design Services provider would usually carry out this as a service, and can make recommendations on what should be implemented. Once your audit is complete, there are two methods to compliance;

Explicit Opt-in / Opt-out

This would be applied if there is heavy use of third-party Cookies on a site, with lots of advertising and social media connectors. In this case, users would need to be provided with the option of opting in or opting-out of receiving cookies. This would be a notice that is made prominent to users and providing them with access to your Cookie Statement. Users are able to opt-out and prevent Cookies from being written to their device. This will prevent the collection of analytic data too, even though users are still accessing your website.

Implied Consent

If a site uses Cookies that are used to improve functionality, for example, Facebook Like Buttons, and performance monitoring such as Google Analytics, then a site may be compliant providing a clear notice is available for users to access. This would provide information on the Cookies used, why they are there and what data they collect. The statement would advise users that they must only use the website if they agree to have the identified Cookies placed on their device.

It’s vital that websites must take steps to comply with this law and there has been a degree of flexibility built in to accommodate the level of risk each Cookie type may pose to a users privacy. If you would like to ensure your website is compliant, contact your Web Design Company and ask for advice on the steps you would need to take.

Categories: Articles, Business, E-Commerce, Web Design

subscribe newsletter

Never miss a post

Get free digital marketing intelligence and advice from our experts, directly to your inbox.
Have an upcoming project?