How to make your website cookie compliant

Recent research by Colin Stenning showed 37.78% of local government websites did not provide users with the means to enable or disable non-essential cookies or failed to make it easy to configure them.

Those responsible for creating, managing and maintaining a website must meet the requirements set out by the General Data Protection Regulation / UK Data Protection Act 2018 to be cookie compliant .

All websites have to meet these requirements, but users face a variety of confusing and often frustrating pop ups, banners, buttons and barriers to website entry and cookie acceptance or rejection. 

If website administrators can’t provide straight forward, recognisable options, then expecting website users to understand their rights and what cookies actually mean for them is difficult. 

The responsibility to meet the requirements can be overwhelming. Despite being responsible for policing the rules on cookies, the ICO itself has admitted to failing to meet their own rules at first. Additionally, it is worth noting that following our exit from the European Union the General Data Protection act will no longer be applicable. Although, much of the legislation will be merged with the UK Data Protection Act 2018, in 2021 new legislation is highly likely. Even if a website is compliant now changes are likely, so dealing with our website cookies is an ongoing process.

What is a cookie?

Each time a website is accessed a cookie, which is a small text file, is downloaded onto the user’s device, their computer, tablet or smartphone. .

The cookie can be either a session cookie, which is temporary and expires when the browser closes, or a persistent cookie, that will stay on the user’s hard drive until they, or the browser erases them, depending on the cookie’s expiration date (which should be no more than 12 months).

Where do cookies come from?

Websites put cookies on to devices themselves, enabling users to use their features securely. These are often essential and necessary cookies and websites do not need your permission to add these, as use of their site would be impossible without them.

However, many additional cookies such as functional cookies or marketing cookies may come from third parties, such as advertisers or analytics. These cookies must be declared and permission given by the user before they are installed.

Why are websites still failing to meet the requirements?

Most websites provide information about the presence of cookies, but aren’t unified in how effectively cookie compliance is done. As previously mentioned, the research of Local Government websites, by Colin Stenning revealed that although 98.04% of their public facing websites explain what the cookies are doing and why, only 37.78% made sure users had the means to enable or disable non-essential cookies and made it easy to do.

It is not acceptable to assume that website users will take it upon themselves to understand and access your cookie policy and find out how to change their settings. To be fully compliant, a website has to provide this information in an easy to access and completely transparent way.

How do I make sure I have cookie compliance?

You need to ensure that you have explicit consent from all of your users and that you observe their rights to data. The strict rules of compliance are that websites:

  • Do not use any but strictly necessary cookies without users’ consent.

  • List and explain the purpose of the data each cookie tracks

  • Keep a record of all users’ consent.

  • Allow access to your service even if they refuse cookies

  • Make it easy for users to withdraw consent.

There are some straightforward steps everyone can take to be compliant. Webtoffee is a great example of a plugin that ensures you capture all cookies and can efficiently block these cookies if the user elects to reject them.

A whole host of companies offer the help you may need to ensure you can request, act on and store cookie consent date. Check that any plugin or solution you use allows you to:

  • Scan and track all cookies used on your site. This needs to be redone regularly to keep up-to-date.

  • Produce a cookie report listing all cookies, which automatically updates. This can be used as the Cookie policy for your site and a link should be included in your cookie consent banner.

  • Customise a cookie consent banner. This needs to show users they can accept, reject and access a list of all cookies, in categories so users can opt in and out of specific cookie types.

  • Ensure you securely store data from users who have consented.

  • Provide the users with the option to renew their consent annually.

  • Allow users to withdraw or alter their consent easily at any point in their user journey.

Using a plugin facilitates all of the requirements you need to meet, but it is the responsibility of every organisation to make sure each of the steps to full compliance are completed efficiently.

Why is it vital to be cookie compliant?

In the current climate, data breaches cost companies on average $3.86 Million per breach, with 80% of this accounted to breaches of personally identifiable information, according to a report by Juniper Research. It is expected that globally, this number will rise to $5 Trillion by the year 2024.

Data breaches are serious business and organisations should do everything they can do to not only educate themselves but also embed data protection into their everyday culture.

Being “cookie compliant” is one step organisations can take to minimise the amount of breaches they might suffer through poor data protection.

By ensuring that visitors know what data is collected, why it is collected and how long it is stored for, they can make positive steps in the right direction to protect all data.

For more information, feel free to talk to us

Read more blogs by Steph Robinson

invotra logo