As most website owners know, you are legally required to ensure that you have a correct cookie consent process on your website. However we have worked with several clients recently who have installed a cookie consent plugin (or other cookie management process) on their website and assumed that it was working correctly, only to discover that all their cookies were still being downloaded before visitors to the site had consented.
We’ve looked at quite a few websites now and this is fairly common. It looks as though the process is working correctly because a cookie consent bar pops up and the visitor has to give consent to clear it but in fact behind the scenes the cookies are downloaded as soon as the visitor arrives on the site, so the site is not compliant with the law. In this blog post I’ll outline what the law requires and show you how you can check whether or not your site is compliant.
What is the law regarding cookies on websites?
The law requires that you do three things.
- Tell people the cookies are there
- Explain what the cookies are doing and why
- Get the person’s consent to store a cookie on their device (before you store it!)
So what does this mean in practice? It means that you need to have a cookie policy document on your website that explains what all the cookies are that you are using and what they do. The Information Commissioner says
You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.
It’s good practice therefore to offer people a link to your cookie policy at the point at which you’re asking them to consent (or not) to the cookies being downloaded.
What counts as consent? The Information Commissioner says
To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent….You cannot set non-essential cookies on your website’s homepage before the user has consented to them.
This means that you need to let people know about the cookies that you’re using at the point at which they arrive on your website and give them the option to opt in or opt out at that point. You cannot assume that someone is consenting simply by continuing to use the website. They need to have explicitly consented, for example by clicking a button.
Does this apply to all cookies?
There are some exemptions to the consent requirement. Broadly speaking, cookies that are essential for the running of your website are exempt – you do not need to obtain consent before downloading them. This is a very limited category and would include cookies that are used to differentiate users that are logged in from those who are not, or to enable people to add things to a shopping basket and for the website to remember what’s in the basket, or for a few other technical purposes. There’s more information about exemptions on the ICO website. However it is still good practice to let people know about these essential cookies when they arrive on your site for the first time.
Most cookies are not exempt. For example, if you’re using Google Analytics, or have a Facebook Pixel running on the site then you most definitely need to ensure that you get people’s consent before these cookies are set. Any cookie that is there to track your users’ behaviour in any way will require consent to be given before it is set. Basically, any cookie that is not essential to the running of the site can only be legally set once consent is given.
The problem with cookie consent banners
Most website owners these days are aware of this requirement and by far the majority of websites that we visit have a cookie consent banner that displays when one visits the site for the first time. However, as mentioned at the start of this post, just having a cookie consent banner alone isn’t enough. You need to check that it’s working correctly. In particular, you need to check that no non-essential cookies are being set before the visitor has given consent.
This can happen because a lot of cookie consent banners are added as an afterthought or implemented without understanding how they work in the background. Often they give the website owner a sense that they’re following privacy legislation while actually doing nothing more than asking, and then ignoring, the wishes of the visitor.
For example, you might have a site that includes Google Analytics and a Facebook pixel. Privacy guidelines mean that you should ask visitors before you use them, and so you might install a cookie consent plugin. There are many out there and so you might find one that fits with how your site is implemented and add it.
However, many of these plugins need to be configured so that the cookie code is not executed until your visitors have indicated that it’s ok to do so. If the plugins are installed and then not tested, or if they are mis-configured, you might find that you’re asking people for consent after all your tracking cookies have been created. The first you might hear about it is when someone complains – possibly a privacy activist threatening legal action, as happened to one company we work with recently.
How to test if your cookie consent is working
It is relatively simple to check if your site is setting non-essential cookies before the visitor gives their consent. If you use a Chrome-based browser then you can look to see what cookies have been created and see when they are deployed, prior to consent or post consent.
- Open an incognito browser window
To do this in Chrome go to the three dots in the top right hand corner of the browser and click on them. On the drop down you then see there’s an option to open a new incognito window. Select that option.
2. Open the developer console
To do this right click anywhere on the empty browser page and select Inspect from the options. This will open the developer console.
3. Open the Application tab
You’ll see a selection of tabs. Click on the Application tab – don’t worry about any of the others. Once you’ve clicked on that you’ll see Cookies as an option down the left hand side.
4. Go to your website
Enter the URL of the website that you want to check in the browser address bar. As your site is loaded you’ll see your web address in the “Cookies” section. Click on there and you’ll see all the cookies that are being downloaded before consent is given. Cookies that are essential for the running of the site are OK at this point so you would not expect this list to be completely blank. However you definitely would not want to see the Facebook Pixel or Google Analytics tracking cookies or anything of that nature being set at this stage.
Once you have checked the initial list of cookies then you should click that you are happy to consent to cookies being deployed. When you click the option to give consent you should see more cookies being set and things like Google Analytics and other tracking cookies should only be set at this stage after consent is given.
If you look at the screenshot below you will see a couple of cookies with _ga in their name – these are the Google Analytics cookies. The _fbp cookie is the Facebook Pixel cookie.
On this website neither of these types of cookie are deployed until after consent is given so this site is compliant with cookie legislation. If you see anything like this downloaded before you have given consent then your site is definitely not compliant. Your developers should be able to tell you what the other cookies are. If you find that your site is not compliant then you will definitely need to speak to them anyway to ensure that the cookie consent process is amended to ensure non essential cookies are only downloaded after the consent button is pressed.
If you have a WordPress site then this is something that we may also be able to help you with. We have set up and configured cookie consent plugins on numerous WordPress sites for other clients so get in touch if you’d like to chat about how we might be able to help you.
