Using cookies on your website
Explaining the rules around cookie consent and what you need to do
There has been some confusion about cookie consent since the original cookie regulations came into force and this was compounded by GDPR when it became law in 2019. Implied consent used to be sufficient but this is no longer the case. Catch-all statements such as: “By continuing to use the website you agree to cookies being set” are now unacceptable. The Information Commissioner (ICO) has published some guidance to help clarify things including this rather complicated flow chart!
What is a cookie?
Cookies are text files stored on your computer by your web browser. They are used for various things such as remembering your preferences on a website, what you put in your shopping cart, that you are logged in, or what products you’ve looked at. They can even store personal information that you have entered on the website. Cookies can last as long as your browser is open, or for a period of time that the website determines. You can manage cookies and delete any from your browser.
The two types of cookies
As far as compliance is concerned there are two categories of cookie:
- Strictly necessary: these are cookies that are needed to provide the service the visitor expects. For example a cookie to remember what is in a shopper’s shopping cart – without this the shopping cart system wouldn’t work and the shopper wouldn’t be able to buy anything.
- Non-essential: these are cookies that enhance the site owner’s or visitor’s experience but aren’t vital for the website to work. For example: visitor analytics, social sharing buttons or marketing or tracking purposes – these are nice to haves but don’t really limit what the visitor can do or expect.
Firstly ask yourself…
- Do I need analytics? If you are running a small website, sometimes just knowing the overall visitor numbers per month is all you need. If so, you can get basic numbers from the server statistics software or from an external service like Cloudflare (which sits in front of your website). Using a method like this makes it easier to comply with the cookie regulations.
- If yes, do I really need Google Analytics? Google Analytics is huge and complex software and you will most likely only ever use a small part of it. There are a number of simpler, GDPR-focussed tools such as Fathom, Simple Analytics and Ticksel. These can be used without cookies but the downside is they are not free to use unlike Google Analytics. There is another newcomer called Koko which is free and works right within WordPress – it doesn’t set cookies or need any third-parties to work. However as yet it doesn’t provide information on a visitor’s device or geographic location but these are coming soon.
- Yes, I am sure I need Google Analytics! If you are running a larger website and you do definitely need Google Analytics, and/or social sharing buttons, and/or marketing cookies such as Facebook Pixel then you need to implement a cookie banner to obtain consent before these cookies are set on a visitor’s computer.
What is explicit consent?
- You must give visitors the option to accept or reject non-essential cookies – usually this will be by asking them to click a button or tick a box. Visitors must be able to change their choices as well so you need to have an option for them to do this.
- The buttons for accept and reject must be the same and cannot have different treatments: for example the accept button cannot be bigger or a different colour to persuade visitors to choose it. The image below shows one that you may often see but it is a non-compliant cookie banner!
Cookie banner options
Each website is different and may have different cookie and privacy needs so here are a few options that we have researched:
Cookie Control from Civic is a UK third-party service and is used by the ICO on its own website. Again it has free and paid options depending on the number of monthly visitors and features you need.
There are hundreds of cookie banner plugins for WordPress but the one we recommend and use on our website, is GDPR Cookie Consent by WebToffee.
Another alternative that offers granular control of cookies is Cookie Consent by Privacypolicies.com This can be easily added to any website regardless of what CMS it uses and can be especially useful for sites that use older or proprietary CMSs. Privacypolicies.com also provide some useful starter templates for cookie and privacy policies.
- If you set any kind of cookie, you must have a cookie banner alerting visitors to this.
- If you use any non-essential cookies you must gain explicit consent from a visitor before setting any.
- If you use analytics that require cookies to be set, the statistics you collect will be skewed because not all visitors will give consent. So it is a good idea to use one of the other options mentioned above, or to use them in conjunction.
This can be a confusing subject and implementing this can be technically difficult, so if you need any advice or help with a cookie consent solution for your website do get in touch.