Using cookies on your website

Explaining the rules around cookie consent and what you need to do

There has been some confusion about cookie consent since the original cookie regulations came into force and this was compounded by GDPR when it became law in 2019. Implied consent used to be sufficient but this is no longer the case. Catch-all statements such as: “By continuing to use the website you agree to cookies being set” are now unacceptable. The Information Commissioner (ICO) has published some guidance to help clarify things including this rather complicated flow chart!

What is a cookie?

Cookies are text files stored on your computer by your web browser. They are used for various things such as remembering your preferences on a website, what you put in your shopping cart, that you are logged in, or what products you’ve looked at. They can even store personal information that you have entered on the website. Cookies can last as long as your browser is open, or for a period of time that the website determines. You can manage cookies and delete any from your browser.

The two types of cookies

As far as compliance is concerned there are two categories of cookie:

  1. Strictly necessary: these are cookies that are needed to provide the service the visitor expects. For example a cookie to remember what is in a shopper’s shopping cart – without this the shopping cart system wouldn’t work and the shopper wouldn’t be able to buy anything.
  2. Non-essential: these are cookies that enhance the site owner’s or visitor’s experience but aren’t vital for the website to work. For example: visitor analytics, social sharing buttons or marketing or tracking purposes – these are nice to haves but don’t really limit what the visitor can do or expect. 

Non-essential cookies need the visitor to explicitly consent to these cookies before they they are set. Remember though that even if your website only uses strictly necessary cookies you will still need a cookie banner telling the visitor about this, as well as a link to your privacy policy.

Firstly ask yourself…

  1. Do I need analytics? If you are running a small website, sometimes just knowing the overall visitor numbers per month is all you need. If so, you can get basic numbers from the server statistics software or from an external service like Cloudflare (which sits in front of your website). Using a method like this makes it easier to comply with the cookie regulations.
  2. If yes, do I really need Google Analytics? Google Analytics is huge and complex software and you will most likely only ever use a small part of it. There are a number of simpler, GDPR-focussed tools such as Fathom, Simple Analytics and Ticksel. These can be used without cookies but the downside is they are not free to use unlike Google Analytics. There is another newcomer called Koko which is free and works right within WordPress – it doesn’t set cookies or need any third-parties to work. However as yet it doesn’t provide information on a visitor’s device or geographic location but these are coming soon.
  3. Yes, I am sure I need Google Analytics! If you are running a larger website and you do definitely need Google Analytics, and/or social sharing buttons, and/or marketing cookies such as Facebook Pixel then you need to implement a cookie banner to obtain consent before these cookies are set on a visitor’s computer.

What is explicit consent?

  • You must give visitors the option to accept or reject non-essential cookies – usually this will be by asking them to click a button or tick a box. Visitors must be able to change their choices as well so you need to have an option for them to do this.
  • A visitor must be able to give consent freely and unambiguously. This means you cannot bundle consent with anything else (such as your general privacy policy or a competition or an offer) and you cannot prevent visitors from accessing your site before accepting cookies.
  • The buttons for accept and reject must be the same and cannot have different treatments: for example the accept button cannot be bigger or a different colour to persuade visitors to choose it. The image below shows one that you may often see but it is a non-compliant cookie banner!

Cookie banner options

Each website is different and may have different cookie and privacy needs so here are a few options that we have researched:

Iubenda

Iubenda is an Italian third-party service that provides a number of privacy-based solutions including an easy to use cookie banner and privacy policy generator. It has free and paid options depending on the number of monthly website visitors and features you need. On the paid plans (as with Cookie Control below) you are able to target only EU countries which can be useful if you have an international audience.

Cookie Control

Cookie Control from Civic is a UK third-party service and is used by the ICO on its own website. Again it has free and paid options depending on the number of monthly visitors and features you need.

WordPress plugin

There are hundreds of cookie banner plugins for WordPress but the one we recommend and use on our website, is GDPR Cookie Consent by WebToffee.

Developer-friendly option

Another alternative that offers granular control of cookies is Cookie Consent by Privacypolicies.com This can be easily added to any website regardless of what CMS it uses and can be especially useful for sites that use older or proprietary CMSs. Privacypolicies.com also provide some useful starter templates for cookie and privacy policies.

Key takeaways

  • If you set any kind of cookie, you must have a cookie banner alerting visitors to this.
  • You must link to a privacy and/or cookie policy on your website, and list all of the cookies you set and their purpose.
  • If you use any non-essential cookies you must gain explicit consent from a visitor before setting any.
  • If you use third-party services for things like analytics, social sharing, marketing or to implement your cookie banner then you need to list them in a privacy policy on your website.
  • If you use analytics that require cookies to be set, the statistics you collect will be skewed because not all visitors will give consent. So it is a good idea to use one of the other options mentioned above, or to use them in conjunction.

Need help?

This can be a confusing subject and implementing this can be technically difficult, so if you need any advice or help with a cookie consent solution for your website do get in touch.