We’re often asked whether we provide a cookie policy template. This article explains why you might not need one after all, after understanding the requirements of the law.
GDPR has raised our awareness of the need publishing information relating to privacy
As a result of the news surrounding the Europe wide introduction of stricter privacy law known as the General Data Protection Regulation (or the GDPR), which in the UK was incorporated into the Data Protection Act 2018 (or the DPA), it is generally well known that every organisation that deals in any way with personal information needs a privacy policy.
Such a policy is likely to be one of several legal notices on a website – partly because a website is accessible to all and partly because it is website users who would like to think that they browse in anonymity whose personal information is collected, used and stored.
Because of increased knowledge about requirements to publish a privacy policy, website owners have also become aware of other requirements of the law – to publish website terms and conditions and to publish a cookie policy. Except the law doesn’t always require these documents (as it doesn’t with a privacy notice as well).
There was so much hype just before the DPA came into force about every website needing to meet the requirements of the GDPR that the actual law (and obligations) were overlooked.
How publishing a cookie policy became "necessary"
Before GDPR and DPA, cookies represented the technology that infringed privacy on the Internet.
In many ways, they still are, since many people equate them to a mysterious tracking technology that requires deep knowledge of browser settings to disable them – usually at the cost of no longer being able to use a website’s functionality.
Cookies are simply small text files that are placed on your computer or Internet browsing device in order to store information that later can be retrieved. They allow data that is generated or collected on one page to be used at a later time.
Cookies were an important technological milestone in the development of the Internet because through use of them, websites changed from being mostly collections of static information pages to being interactive applications that responded to the visitor’s requirements.
One common use of cookies is to record events that happen on one page (such as the visitor clicking on a particular area of the page) for later analysis by the website owner. In other words, to track visitor behaviour. Analysis of this behaviour gives website owners useful information about how to improve a webpage.
But there was a backlash against their use by visitors on the grounds of an infringement of privacy, particularly where the content of the websites the visitor browsed was of the sort that the visitor would not want anyone to know he or she had sought out.
Before cookies, visitors were not so aware that what they looked at was recorded (although it always has been through webserver logs). The Internet seemed to be a private domain where visitor’s actions were anonymous.
When it became obvious that cookies were the primary technology that removed anonymity (particularly across websites), visitors became more interested in whether they were being used, and if so, exactly how.
Cookie policies were created to reassure technologically and privacy minded visitors, not because of the introduction of any law, but because some visitors wanted to know.
The law relating to cookies
To most people’s surprise, there is no law that specifically mentions cookies. That is because cookies are no more or less special than any of the other many technologies that now perform special functions. Rather than make a law that specifically applies to one technology, the law applies more broadly to any with similar function.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the PECR) gives the requirements for the user to control their use.
The DPA (incorporating the GDPR) gives the requirements for disclosure.
The legal requirements for the visitor to accept use of cookies
Most of the PECR relates to telephone communications, giving the public the right not to receive nuisance telephone calls.
A very small section, Regulation 6 relates to confidentiality of communications - technology that places or retrieves information on someone else’s device.
[…] a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the [following] requirements […] are met:
The requirements are that the subscriber or user of that terminal equipment:
has given his or her consent.
But this is not a requirement:
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
And it is not necessary to ask more than once:
Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements […] are met in respect of the initial use.
The first thing you should note is the exception. There is no legal requirement to disclose use of, or to gain consent to use any cookie that is “strictly necessary” for the operation of the website.
So, if you only use cookies that are strictly necessary, there is no legal obligation on you to do anything.
The issue for the website owner is that some of the words or phrases in the law are subject to interpretation and “strictly necessary” is one of those. What is strictly necessary is not entirely clear, and in theory, could change over time.
If the cookie is not strictly necessary then the visitor must give consent to it.
In 2003, when the PECR was drafted, “consent” could be given implicitly (by continuing to browse a website) or could be given explicitly (for example, by clicking on a button stating “I agree”). Since the DPA 2018 came into force, consent is assumed to have the same meaning as under the DPA, which is explicit only. In other words, the visitor must click on a part of the screen (such as a button or a check box) to give consent.
Note that the obligation is not to give the visitor the opportunity to refuse each one individually, or in groups such as those related to marketing. It is equally valid to give the opportunity to accept cookies individually, in groups or all together.
The legal requirements for disclosure of use of cookies
The requirement to disclose use of cookies is covered by the PECR as well, and possibly by the DPA.
The PECR states that the website visitor must be:
[…] provided with clear and comprehensive information about the purposes of the storage of, or access to, that information
Again, this applies only to cookies that are not strictly necessary.
There is an issue in deciphering what “clear and comprehensive” means. Certainly, fine technical detail would be comprehensive. But we would argue that the average visitor, technical detail about whether the cookie is persistent or not (in the meaning of persistence as it relates to cookies) is not clear. Nor does information about persistence relate to the purpose of the cookie. Instead, we would argue that to satisfy the legal requirement, a website owner simply needs to state in broad terms that cookies are used and give a good non-technical explanation of why they are used.
As examples:
We use cookies on this website to record which pages you view and how you interact with them in order to improve them for other website visitors.
We use cookies on this website to record your interest in our products so that on subsequent visits this website we can show you similar products that we think you would be interested in.
The DPA possibly also influences what information you must disclose to visitors.
It is important to note that the DPA only applies to personal information, that is information that could be identified as relating to a particular individual. So, the DPA does not relate to cookies that process anonymous information such as whether an anonymous visitor consents to use of cookies that are used for marketing.
The disclosure requirements of the DPA are that you tell the visitor what personal information is being “processed” (collected, stored or otherwise acted on), for example, information relating to the visitor’s political views, and which legal basis you do so on (there are six possible bases, but in practice, three are most likely to be used).
The DPA does not oblige you specifically to do anything in relation to cookies, nor to separate information stored in or retrieved from cookies from any other type of information processed.
In other words, there is no legal requirement to have a cookie policy, whether on a separate webpage or included within your privacy policy.
To repeat, the requirement of the DPA (and the GDPR) is disclose what information is processed and the basis on which it is.
There is no requirement to disclose that cookies are used, and no requirement to disclose what information is stored in cookies specifically.
For example, the following statement would satisfy the legal requirements of the DPA:
We process information relating to your political views on the basis of Contract, that is that our processing is necessary to fulfil your request that we enter into a contract with you.
For the DPA, it doesn’t matter whether that information is collected and stored in a cookie or whether some other technology performs the same function.
How to comply with the law
Your obligation is to comply with the law, specifically the Data Protection Act and the Privacy and Electronic Communications Regulations.
You have no legal obligation to comply with the recommendations of other government bodies (such as the Information Commissioner’s Office or ICO) or of any other governing bodies such as professional associations.
Nor is there a legal obligation imposed by Google, Microsoft or any other search engine. Having a cookie notice on your website is not a must to be included in their search results.
There may be good reasons to comply with the requirements of other organisations, but there is no legal requirement.
We take the view that compliance in respect of cookies is best managed by:
Providing a mechanism to consent to use of cookies that are not strictly necessary
Providing the visitor on a first visit to the website with a statement that the website uses cookies, with a link to the privacy policy of the website, and with one or more buttons that allow the visitor to consent explicitly to use of cookies that are not strictly necessary.
Obviously, the detail that you should give depends on how your website uses cookies. A simple information website that uses Analytics software only should have a much simpler implementation than a social media website that uses cookies extensively.
The ICO’s own website uses a mechanism for consenting to cookies that could be used to give inspiration for your own. Because the ICO attempts to achieve “best practice”, what it does and what it advises often goes beyond legal requirements, but it does should certainly be considered.
Disclosing in your privacy policy what personal information is used and on what basis
Within your privacy notice you should explain what information your organisation processes.
As part of this, you might explain that part of the processing occurs through use of cookies. For example, you might state that you use cookies to collect information about the identity of the visitor on an account creation page for use later, including to save the visitor time re-entering the same information at checkout.
We also recommend that your website privacy notice includes a statement that you use cookies and an explanation of what they are. Our templates take this approach.
You might also link to the privacy policies (or cookie notices) of third party applications that you use.
One potential issue with explaining how any third party cookie works is that the third party might change what the cookie does at any time and not inform you. The information on your website would be wrong, but because it is in such granular detail, might be convincing to a visitor. We would argue that it is worse to provide detailed inaccurate information than to provide less detailed but factually correct information.
By linking to the third party’s cookie policy, you ensure that if a visitor is really interested in the expiration conditions of a cookie, that he or she can find that information.
You might also link to the webpages of browser software that explain how a browser user can disable cookies entirely. Or you might recommend and link to software organisations that provide privacy plug-ins that automatically disable cookies that it recognises are not necessary for the performance of the website.
In reality, most people are not going to read your privacy policy, let alone browse from it to explore a third party’s website. All the information that want to know is whether they are being tracked in some way, and whether they can limit that or prevent it entirely.
Your cookie notice
There is nothing to stop you publishing a page on your website that sets out a cookie policy.
Hopefully you now understand your legal obligations in respect of cookies.
A separate cookie notice is not a legal requirement. Whether you want to publish one is a separate consideration to the law.
Our approach would be not to publish a separate one, but instead comply with the law through your privacy notice and by providing a mechanism for opt-out instead.