Increasing numbers of people are becoming aware of cookie law and contacting website operators to claim compensation. Are your websites complying with the law?
We all know how frustrating cookie walls and pop-ups can be whilst browsing the internet – but do you know that many user-friendly sites are in fact breaching data protection rules?
Cookies and similar technologies are small files downloaded to your device that allow a website to remember you – your log in details, your language preferences and other ways of personalising your experience. Certain cookies are essential in order for the website to function: for example, when online shopping the website remembers which items are added to your basket. Many other cookies perform non-essential functions such as tracking and analysing how users land on a page, noting which goods they are interested in purchasing and serving advertising based on other data already known about a user. Unless a cookie is essential, the Privacy and Electronic Communications Regulations require website operators to explain what each cookie does and also obtain opt-in consent to set each cookie.
Whilst information about relevant cookies can be contained within a policy that is simply highlighted to website users, obtaining opt-in consent (ideally before any cookies are triggered) is more troublesome. Time, effort and money goes into designing user-friendly interfaces and interrupting the user journey to ask for various consents is at best cumbersome and in some cases deters people from using the site altogether. Prior to GDPR coming into force, implied consent was acceptable – so by continuing to browse a site a user was deemed to have consented to the cookies listed in the policy. The GDPR standard for consent is much higher and requires an opt-in rather than an opt-out action, as well as permitting people to choose exactly which consents they are granting. On that basis, setting non-essential cookies without gaining opt-in consent to each of those cookies upfront is a breach of the law.
We are seeing a marked increase in complaints relating to cookie use. Individuals who understand the law are seeking to gain compensation for loss of control over their data and website operators are also receiving claims from organisations keen to bring class actions. If you are operating a website:
- Ensure you understand which cookies your website is using and make sure you gain consent if cookies are not strictly necessary.
- Explain any cookie use in an appropriate policy.
- Use appropriate cookie banners and pop-ups.
- Allow users to manage their cookie preferences when they first access your website and on an ongoing basis.
- Check that any provider managing your website is following your instructions and not setting cookies unlawfully.
The UK government is considering changes to the data protection regime now we are no longer bound to follow EU rules. Moving away from GDPR would bring various concerns but there is a proposal to relax the rules on cookies, which would prove popular with most website operators. Until then, the current rules remain in force and those who do not comply may find themselves open to numerous challenges regarding compliance. Should you have concerns about your current website practices, please contact our Data Protection team.
