Transparency, consent and accountability: three key ingredients for cookie compliance
27th February, 2020
We've all by now grown accustomed to seeing cookie banners popping up on our favourite websites. But how many businesses actually know whether they are acting in accordance with data protection law when drafting cookie policies and banners, and entering into contracts with website developers and advertisers?
Communicating which cookies are used (and how) to users in a clear, comprehensive way is the first hurdle that website operators need to overcome if they are to avoid a penalty from the ICO. To achieve this, website operators first need to understand this information for themselves. This is not always straightforward when web development services are frequently outsourced to external agencies. The first step in achieving compliance is therefore to undertake a ‘cookie audit’ with relevant technical personnel / suppliers and produce a report of:
- which cookies are used;
- what the cookies do; and
- how they are used by the website.
Consent – more than clicking “I agree”
Once you know which cookies you are using and how, you need to make sure that you get users’ consent for any non-essential cookies before placing them on their device. The distinction between ‘essential’ and ‘non-essential’ cookies is not always obvious, but third party advertising cookies are a common example of a non-essential cookie, meaning that consent will always be needed. And, as with GDPR, the consent must be unambiguous, specific and freely given. This will not be achieved by, for example, using pre-ticked boxes or making use of the website conditional on consent.
To complicate things further, website operators must allow users to provide their consent with such granularity as to be able to choose which of the non-essential cookies that they are comfortable with being placed on their device. Again, meeting this requirement hinges on website operators being able to supply clear and comprehensible information in relation to the cookies that are in use, as well as having the technical capability to enable users to select which cookies they accept.
Accountability – don’t assume that you have outsourced the responsibility
Many businesses rely on external web development agencies to design their website, but in reality, each may have very different assumptions in relation to who is responsible for obtaining user consent to placement of cookies or ensuring that the website content and functionality complies with the requirements of data protection legislation. Most website development agreements will include data protection provisions, but if these do not reflect the parties’ understanding of the position then this could result in unanticipated costs if a penalty is levied by the ICO.
In a similar way, companies operating in the ad-tech space often have little control over whether valid consent has been obtained by the website operator for cookies that the ad-tech company places on user devices. Again, robust contractual provisions are needed in order to manage these risks.
In a nutshell
Avoiding penalties requires a comprehensive understanding of which cookies are used and how, and for this to be communicated effectively to users so that their valid consent can then be obtained. Where website operators get others to provide services for them, care needs to be taken to ensure that the contracts in place reflect the parties’ understanding of how information will be provided and consent obtained in practice.
Ward Hadaway’s Commercial team works with companies of all sizes and can help you to devise cookie policies and related data protection documentation to help your business. For further information, please get in touch.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.