If you’re using cookies on your website or app, you need to comply with data protection and privacy rules. This includes telling your users what cookies you’re using and why and telling them how they can change their preferences. Read on to find out more about using cookies on your website or app and download our cookie policy template to create your own.
Contents
- Cookies
- Getting consent to use cookies
- Do I have to ask for consent to use cookies?
- How do I get consent to use cookies from a visitor to my website?
- When should I get consent to use cookies from a visitor to my website?
- Can I set third-party cookies on my website?
- What happens if I don’t have a proper privacy policy and cookie policy?
- What other data protection policies does my business need?
Cookies
A cookie is a small text file which is downloaded when a user accesses a website. Cookies help your website recognise a particular user and collect and store information about the user's preferences or past actions. There are data protection laws concerning your use of cookies, which also apply to the use of similar technologies for storing information (for example flash cookies, web beacons, bugs or device fingerprinting).
A cookie policy, also sometimes referred to as a cookie notice, gives users of your website or app information about how you use cookies. This includes information about what cookies you use, how you will ask your users for their consent and how they can manage their preferences.
It’s another term for a cookie policy. It gives anyone who uses your website or app information about how you use cookies. You’re required under data protection and privacy rules to provide users of your site with this information.
For most types of cookies that you use on your website or app, you will need to provide a cookie policy explaining to your users how you use cookies.
Your cookie policy should not be hidden away on your website, you should make it easily accessible and draw your users’ attention to it when they visit your site. A common way of doing this is to include a hyperlink on your website, usually alongside your privacy policy.
You should also include a link to your policy in your cookie pop-up or banner when you ask your users for consent to your use of cookies (see below).
To create a customised cookie policy template for your business follow these three simple steps:
- Click this link to access a cookie policy template
- Fill in a short questionnaire
- Download your completed cookie policy!
Yes. If you are using cookies or similar technology on your website or app you must explain how you use them and request the consent of users for most types of cookie the first time they use your website or app (eg by having a banner or pop-up window in a clear and prominent place on your site, alongside some form of button to dismiss or acknowledge the policy). The mechanism you use to obtain consent should contain clear information about your use of cookies, including their purpose and duration. This should then link to your cookie policy where more detailed information can be set out.
If you use cookies to carry out online behavioural advertising there are strict rules that you need to follow; see Online behavioural advertising for more information about what this is and how to do it.
To get consent from users or subscribers, you must require them to take a positive action. Continuing to use your website will not amount to valid consent, nor generally will ‘cookie walls’ which essentially block access to your site until users agree to your use of cookies. The most common way of requesting consent is to have a banner or pop-up window on the site, alongside some form of button to dismiss or acknowledge the policy. Pre-ticked boxes or ‘on’ sliders are not compliant with the consent requirements. The banner or pop-up window must be in a clear and prominent place when the user first visits the website and must not emphasise ‘agree’ or ‘allow’ over the option to ‘reject’ or ‘block’ cookies. You should also ensure that users have an easy way to enable or disable non-essential cookies. It is best practice to have a cookie management tool on your website that allows users to manage their settings, rather than asking them to manage settings via their internet browser (as the latter may not be compliant with ICO guidance).
Cookies which are strictly necessary for you to do something that the user has asked for are exempt from the need to get active consent. For example, cookies to remember what a user has put in a shopping basket will not require consent.
You must obtain this consent from the website or app visitor straight away and bear in mind that there may be circumstances in which you will need your visitors to provide new consent to cookies (eg if you are setting new non-essential cookies which their previous consent did not cover). Your banner notice must also (before you request consent) include information about your use of cookies, including their purpose and duration. This should contain a link to more detailed information about your use of cookies, which will typically be included in your cookie policy. This information should be set out in plain language and cover how cookies operate, what categories of cookies you use on your website and what cookies are used for on your website.
A link to a cookie policy template that you can use on your website, together with notes about how to use it, can be found here: Cookie policy.
For full guidance on how to make sure your website is legally compliant, see Checklist of information to include to ensure your website is legally compliant.
Note that Parliament is currently considering changes to data protection law, through the Data Protection and Digital Information (No. 2) Bill. If this bill is passed into law, there may be more exemptions to the requirement to get consent to cookies (for example, you may not be required to get user consent if the purpose of cookies is to install software updates or to enable the website to reflect a user’s preferences). You’ll still need a cookie policy and the ability for users to opt-out of cookies. Stay posted for updates on these potential law changes.
Yes.
If your website allows third parties to set cookies on your users’ devices (eg from an advertising network), you must inform your users and obtain their consent first. This responsibility lies with both you and the third party so you will need to liaise with them to ensure that your obligations are met.
Breaches of data protection law can be costly for your business; in the worst case scenario, you could be fined up to £17.5 million or 4% of your global annual turnover and face serious reputational damage.
What other data protection policies does my business need?
Data protection compliance doesn’t start and end with cookie notices. To find out what other policies you’ll need to put into place, see our guide on GDPR policy templates. Importantly, cookie policies come hand in hand with privacy policies on a website or app; for access to a customisable privacy policy template and to find out more, see our Q&A.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.