GDPR and cookies on your website

What the new guidance around cookies means for you

This time last year, we were all recovering from the flurry of information around GDPR and the scramble to make sure that our mailing lists and  Privacy Policies were in order. 

At the time, the guidance around cookies was fairly vague, and so we could heave a sigh of relief that probably not much was going to be enforced in that area until we had further guidance.

We knew it was coming…

A year on, and that further guidance from ICO (Information Commissioner’s Office) has been released. You can read their full article around cookies and their new guidance here. 

In the UK, cookies are primarily regulated by the Privacy and Electronic Communication Regulations (PECR), and not by GDPR. However, the two are closely related.  Mainly because, in the eyes of privacy laws, the use of cookies is seen as processing personal data. And that’s when GDPR then kicks in.

DISCLAIMER: I am NOT a data protection lawyer, so please do not construe anything in this article as legal advice. I am outlining what my understanding is of our new obligations, and how I have implemented it on my website. To ensure that your website is compliant, please engage a lawyer.

It’s imperative that you have a GDPR compliant Privacy and Cookie Policy live on your website, before implementing an effective cookie consent measure.

Last year, I bought Suzanne Dibble‘s GDPR pack to ensure that I had access to legal templates and checklists, and I have been following her advice around cookies too.  

There are many many clauses and nuances to the new guidance that I could list here, but it’s somewhat overwhelming, so I’m outlining the main takeaways which I think will be most relevant to us. This is by no means exhaustive, and you should read the full guidance here. 

Implied Consent

In the same way as we realised with our mailing lists, implied consent is no longer acceptable. Visitors to our website have to actively agree to  the use of cookies. 

As website owners, what this means is that we need to have a mechanism whereby users on our site can agree or reject the use of cookies, BEFORE the cookies are fired on the site.  

What this means is that:

1. visitors need to take a clear positive action. Telling them that “continuing to browse the website implies consent”,  is not valid;
2. granularity – our visitors need to have the ability to consent to cookies used for some purposes, but not others; and
3. no pre-ticked checkboxes or sliders set to ‘on’ or ‘enabled’ – the default option for non-essential cookies must be ‘off’.

Transparency on how you are GDPR compliant

GDPR is all about transparency of informaiton.

So the information which we supply about the cookies must be transparent too. (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language“). 

I tried out a lot of cookie plugins, and many fail this standard.

Be specific about which data you track and how it doesn’t breach GDPR laws

If you’re using third party cookies from the likes of Facebook and Google (commonly used for advertising (re)targeting and tracking purposes), they must be specifically named.

Common cookies you’re likely to encounter (amongst many others) include: 

• Google Analytics or other analytics services
• Google Adwords, Facebook or other advertising networks
• Pop-ups
• Heatmaps
• Push notifications
• Video players
• Appointment schedulers
• Shopping carts
• Live chat
• Cloudflare and CDN services 

What does it mean for your website? 

I have tried out a lot of tools and plugins to see how they shape up against the new guidance. 

One of the biggest issues that I faced is that we need to audit the cookies on our website in order to comply with the transparency that is required. And that’s not always straightforward. 

So I wanted to find something that could scan the site for cookies that are in use, and list them out. 

There are a few plugins I found which do this, and all of them are premium plugins. If you come across one which is free, I’d love to hear about it. 

The one which I went for is the GDPR Cookie Consent plugin by WP Eka. And used in conjunction with Cookiepedia, it’s a great combination.

GDPR Cookie Consent

This plugin is the closest that I have found to complying with all of the new guidance and is the easiest to implement.
$39

Cookiepedia

A great tool to use in conjunction with your GDPR Cookie Consent plugin to effectively  identify cookies and their usage.
Free

 The GDPR Cookie Consent plugin scans your site for you, applies information around all of the cookies that it can identify on your site, and can be up and running on your site within minutes. If you want to customise it, you may want to carve out 20-30 minutes to do so. 

It’s the one that I have in use on this website, and I have created a video and a checklist which outlines exactly how I customised it and the steps that I took  which I believe make it even more GDPR compliant. 

There are some areas which I believe could be improved upon, such as having the ability to have the boxes unchecked by default, because strictly speaking, they shouldn’t be. I have been in touch with the developers to see if that’s a feature that they can roll out. I’ll keep you posted. 

In the meantime, you can view the step-by-step video which I created to show how to customise the cookie consent plugin. View the video and get the checklist

Summary

Honestly, I don’t think it should have been as hard as I have found it to get somewhere close to a straightforward solution. I’m hoping that my digging around will make this a reasonably easy process for you.

These are the steps that I have taken on my website, and hopefully you’ll find it a breeze to implement on yours.

Will your website be compliant if you follow through with all of this advice. 

No. There are so many strands to GDPR, that this one element on your website won’t make you fully compliant. But it will move you a step closer. You should really have a data protection lawyer carry out a full audit of your site if you need to be sure of compliance. 

Heads up! This post contains affiliate links. It means that if you buy something through one of those links, you won’t pay a penny more, but I may receive a small commission in return for referring you to the site. It enables me to provide more quality content for other people starting out, and it helps keep the wolves from the door.

You can read my full affiliate disclaimer here.