Transparency, consent and accountability: three key ingredients for cookie compliance

Transparency

Communicating which cookies are used (and how) to users in a clear, comprehensive way is the first hurdle that website operators need to overcome if they are to avoid a penalty from the ICO. To achieve this, website operators first need to understand this information for themselves. This is not always straightforward when web development services are frequently outsourced to external agencies. The first step in achieving compliance is therefore to undertake a ‘cookie audit’ with relevant technical personnel / suppliers and produce a report of:

• which cookies are used;
• what the cookies do; and
• how they are used by the website.

This information can then form the basis of a cookie policy, a link to which should be provided on the first page of the website.

Consent – more than clicking “I agree”

Once you know which cookies you are using and how, you need to make sure that you get users’ consent for any non-essential cookies before placing them on their device. The distinction between ‘essential’ and ‘non-essential’ cookies is not always obvious, but third party advertising cookies are a common example of a non-essential cookie, meaning that consent will always be needed. And, as with GDPR, the consent must be unambiguous, specific and freely given. This will not be achieved by, for example, using pre-ticked boxes or making use of the website conditional on consent.

To complicate things further, website operators must allow users to provide their consent with such granularity as to be able to choose which of the non-essential cookies that they are comfortable with being placed on their device. Again, meeting this requirement hinges on website operators being able to supply clear and comprehensible information in relation to the cookies that are in use, as well as having the technical capability to enable users to select which cookies they accept.

Accountability –  don’t assume that you have outsourced the responsibility

Many businesses rely on external web development agencies to design their website, but in reality, each may have very different assumptions in relation to who is responsible for obtaining user consent to placement of cookies or ensuring that the website content and functionality complies with the requirements of data protection legislation. Most website development agreements will include data protection provisions, but if these do not reflect the parties’ understanding of the position then this could result in unanticipated costs if a penalty is levied by the ICO.

In a similar way, companies operating in the ad-tech space often have little control over whether valid consent has been obtained by the website operator for cookies that the ad-tech company places on user devices. Again, robust contractual provisions are needed in order to manage these risks.

In a nutshell

Avoiding penalties requires a comprehensive understanding of which cookies are used and how, and for this to be communicated effectively to users so that their valid consent can then be obtained. Where website operators get others to provide services for them, care needs to be taken to ensure that the contracts in place reflect the parties’ understanding of how information will be provided and consent obtained in practice.

Ward Hadaway’s Commercial team works with companies of all sizes and can help you to devise cookie policies and related data protection documentation to help your business. For further information, please get in touch.