5 top tips to ensure cookie compliance for your website

1. Understand what cookies your website uses

Before putting in place any procedures and documents to ensure cookie compliance, you need to understand what cookies are being used on your website (or other application). There are different rules in place for different types of cookies, with “strictly necessary cookies” requiring less by way of active consent requirements to other cookie types. Find out more about the different types of cookies by reading this guide.

Before using cookies, or if you are already using them, you should ensure that you have full oversight of the cookies that will be used, or are being used, in order to achieve cookie compliance. Carrying out a “cookies audit” can be a key tool in achieving cookie compliance. A cookies audit will identify the cookies you use, and, according to ICO guidance, should also consider the following factors:

• for cookies that are already present and in use on your website, identify those that are operating on or through your website, using a combination of browser-based tools and server-side code review;

• confirm the purpose(s) of each of the cookies you use (or intend to use);

• confirm whether cookies are linked to other information held about users – such as usernames – and whether your use of cookies also involves (or will involve) processing personal data;

• identify what data each cookie holds or otherwise processes;

• confirm the type of cookie – session or persistent;

• distinguish between which cookies are strictly necessary and which ones aren’t (and would therefore require clear and comprehensive information and consent in order to achieve cookie compliance);

• ensure that your consent mechanism (i.e. pop-up banner) enables users to control the setting of all non-essential cookies;

• determine the lifespans of any persistent cookies and whether these durations are justifiable for the stated purpose;

• determine whether each cookie is a first or third party cookie, and if it is a third party cookie who is setting it;

• double check that the privacy information provides accurate and clear information about each cookie;

• confirm what information you share with third parties, and what users are told about this; and

• document your findings and follow-up actions, and build in an appropriate review period.

2. Have a cookies notice

Where cookies are gathering personal data about individuals (whether that is their IP addresses, website preferences or other data), you must tell those individuals that cookies are being used and provide information and how and why the cookies are operating. This is provided via a cookie notice.

The information provided to individuals via a cookie notice must be “clear and comprehensive” to achieve cookie compliance. Use this checklist to help you draft a comprehensive cookie notice.

3. Bring the cookies notice to website visitors' attention

To ensure cookie compliance, it’s not enough to just have a cookie notice in place. To comply with cookie rules, that cookie notice must be clearly brought to the website visitors' attention.

The ICO recommend the following ways to increase the prominence of cookie information on websites:

• formatting – this might include changing the size of the link to the information or using a different font. The key is whether the link to this important information is distinguishable from “normal text” and other links;

• positioning – simply moving the link from the footer of the page to somewhere more likely to catch attention is an easy but effective thing to try; and

• wording – making the hyperlink more than simply “privacy policy”; this could involve a link through some explanatory text (“Find out more about how our site works and how we put you in control.”)

4. Obtain consent for cookie use

Except in relation to strictly necessary cookies, to ensure website cookie compliance you must obtain consent from website visitors for the use of the cookies.

Cookie consent is usually gathered via a pop-up when the visitor first visits the website, known as a cookies banner. When obtaining consent for cookies, you need to ensure that any consent mechanism you put in place allows users to have control over all the cookies your website sets, not just your own. For example, if you want to set third-party content such as tracking pixels and beacons from social networks, you need to ensure that users are given information about these and appropriate controls to signify whether or not they consent.

Find out more about cookie consent using this guide.

5. Tell users how to withdraw consent

For consent to be valid and ensure cookie compliance, you must give individuals the ability to easily withdraw that consent at any time. There should therefore be a clear mechanism in place to allow users to withdraw their consent with the same ease that they gave it, otherwise it will not be compliant with the UK GDPR’s consent requirements.

You must also provide information about how consent can be withdrawn, and how cookies that have already been set can be removed, e.g. in your consent mechanism / cookies banner or within your privacy or cookie notices.

Find out more about withdrawing cookie consent using this guide.

Sign up now to use Docue’s cookie notice.