Search

Call us on: 0333 2400 308

July 18, 2019

HR Issues – Updates to Website Cookie Policies

It is now over a year since the implementation of EU GDPR, and the most recent area to come under the spotlight of the Information Commissioner’s Office (ICO) is that of internet cookies. On 3 rd July, after realising its own website did not subscribe to cookie legislation, the ICO published its updated expectations surrounding consent and information with regard to cookies.

What are cookies?

‘Cookies’ relates to a special technology which stores information between visits to the same website or, occasionally, visits across websites. These are used both to improve ease of experience for users, and to provide analytical information to website operators. For example, cookies can remember log-in details for ease of use, or search preferences across websites.

In any case, some cookies are ‘strictly necessary’ in order for the website to work in a functional and secure manner. Other cookies, for example those used to analyse website traffic for advertising, even though ‘necessary’ in the eyes of website operators, are not ‘strictly necessary’ by law.

What are the key points?

Consent

The main point to understand is that users must have control over their choices for consent. This is relevant for a number of points.

Firstly, organisations should no longer use statements such as “by continuing to use this website you are agreeing to the use of cookies”, because this represents ‘implied consent’ on behalf of the user. For example, if the user ignores the pop-up and clicks onto the website, this cannot translate into cookies being accepted by default. Likewise, pre-ticked boxes or sliders defaulted to ‘yes’ for cookies which are not ‘strictly necessary’ are also inappropriate: the user must actively select ‘yes’ to consent to non-essential cookies.

Secondly, exaggerating ‘yes’ or ‘accept’ over ‘no’ or ‘decline’ options has been deemed inappropriate, due to this ‘nudge behaviour’ being designed to influence users towards accepting non-essential cookies. Regardless of whether these cookies are helpful to website operators, or non-intrusive, consent should still be sought which has not been influenced in any way.

Thirdly, using ‘cookie walls’ to restrict access to the website until the user gives consent is generally unacceptable. When a user is forced to accept non-essential cookies (e.g. for third party analysis) in order to access the site, this does not represent genuine consent. Having said this, use of cookie walls depends on the specific case: these may be deemed appropriate for sites using only strictly necessary cookies. However, using pop-ups or banners could be considered the safest option here.

Information

The other key aspect of the updated ICO expectations is that consent must be informed.

Firstly, consent must be ‘granular’, whereby each individual type of non-essential cookie is distinctly agreed to. This avoids ‘bundled consent’ and provides the user with the knowledge of precisely what they are agreeing to.

Secondly, and related to this, information regarding the purpose and duration of each type of cookie should be accessible to the user when they first visit the site. This might be accessible through a link to the cookie policy in the initial pop-up or banner. This basic information allows the user to make a more informed choice on whether they accept particular cookies. As mentioned above, providing a link to a ‘more information’ page is perfectly acceptable, but organisations should try to ‘front load’ key information to ensure that nothing is assumed.

In summary, according to GDPR legislation, consent should be:

  • freely given (i.e. no ‘nudge behaviour’ or cookie walls which force consent)
  • unambiguous (i.e. no ‘implied consent’ if the user ignores the pop-up or banner)
  • specific (i.e. a ‘granular’ approach detailing each individual type of non-essential cookie)
  • informed (i.e. provided with the purpose and duration of each type of cookie)

What should organisations do about this?

We would recommend that organisations review their website cookie policy, and consider whether the manner in which consent is gained from users is appropriate to the data required.

As always, Navigator can provide support and assistance in this area, enabling organisations to progress towards further GDPR compliance.

If you have any queries on the above article, please contact Scott McCrory-Irving.


For those interested in how to make their organisation more GDPR compliant, check out Navigator’s
‘One Year On’ GDPR public workshop in August. This practical session provides a refresher of GDPR legislation, as well as discussing the updates to cookies and other topics in more detail. Attendees are encouraged to send in queries beforehand to allow us to tailor the session to their specific organisations.

Find the flyer for both dates below, or email enquiries@navigatorlaw.co.uk for further information.

Thursday 15 th August (Glasgow): ‘One Year On’ – GDPR Refresher and Update Workshop
This session focuses specifically on Independent Schools.

Wednesday 28 th August (Edinburgh): ‘One Year On’ – GDPR Refresher and Update Workshop
This session is appropriate for all organisations.

Not Sure Where To Start?

Find Out More

Are you taking on your first member of staff or wondering if you’re compliant with GDPR, maybe you’re unsure if your HR processes are rigorous enough? Get in touch with Navigator today and see how we can help your organisation.

Call Us Now on: 0333 2400 308

or

Newsletter Subscription

Sign Up to the Navigator Newsletter

Stay informed with the latest changes in employment law, health & safety, HR and data protection including noteworthy cases, upcoming events and other useful articles.

We only use your details to send you our monthly newsletter along with event invitations and other useful articles. You can unsubscribe any time.

Contact Us

Get in Touch

0333 2400 308

enquiries@navigatorlaw.co.uk

Floor 3
1-4 Atholl Crescent
Edinburgh
EH3 8HA

Newsletter Subscription

Sign Up to the Navigator Newsletter

Stay informed with the latest changes in employment law, health & safety, hr and data protection including noteworthy cases, upcoming events and other useful articles.

We only use your details to send you our monthly newsletter along with event invitations and other useful articles. You can unsubscribe any time.

Contact Us

Get in Touch

0333 240 308

enquiries@navigatorlaw.co.uk

Floor 3
1-4 Athol Crecent
Edinburgh
EH3 8HA