As a website owner, you will no doubt have heard about cookies and the huge impact they can have on digital marketing. In most cases, unless exceptions apply, a website deploying cookies will need a website cookie policy. However, a website cookie policy has key pitfalls to watch out for and avoid. This article will explore some common mistakes to avoid in a website cookie policy.

What Is a Cookie Policy, and Do I Need One?

To determine if you need a cookie policy, you must first determine whether your website uses cookies. A cookie is a text file stored on a user's device (for instance, on their computer or phone).

Websites commonly use cookies for various purposes – for example, to:

  • remember a user's preferences; or
  • analyse the performance of a website and particular features.

There are various types of cookies. Some are 'strictly necessary' or essential for a website to function, and some may have a functional purpose. A website may also deploy cookies for analytics or targeting purposes.

If your website uses cookies, you must follow strict legal rules. The Privacy and Electronic Communications Regulations (PECR) heavily regulates cookies.

A critical legal rule under PECR is to provide comprehensive information to users regarding the use of cookies. Unless limited exceptions apply, you will need a website cookie policy. A cookie policy is highly recommended as a best practice, even if an exception applies. Websites must provide clear and comprehensive information about the use of cookies.

You should also note that the UK General Data Protection Regulation and Data Protection Act 2018 regulate the use of cookies that involve processing personal information.

What Are Common Mistakes to Avoid in A Cookie Policy?

Preparing a compliant cookie policy can be a technical and complex exercise, which some businesses need help with.

Here are some critical mistakes which you should avoid in your website cookie policy:

What Information Should Your Cookie Policy Contain?

Your cookie policy must provide detailed information about all the cookies your website deploys. Understanding and documenting all the relevant cookies is essential so users will know them. Users need to understand all the cookies used on their website and their impact.

Your cookie policy must clearly explain various information, including but not limited to:

  • the types of cookies you used;
  • what the cookies do and what their purposes are;
  • how long they last before they expire;
  • if any third parties will access the data collected from cookies; and
  • how users can control the use of cookies.

To avoid this mistake, you should carry out a detailed cookie audit. This often requires the support of professional website developers to gauge which cookies the website deploys.

Nonetheless, it is essential to understand fully which cookies your website uses and why. Failing to do so will mean that your cookie policy will not comply with the rules under PECR. You need comprehensive information about your website cookies and their uses so you can accurately define them in your cookie policy.

How to Ensure Your Cookie Policy Correctly Addresses Cookie Preferences?

Under PECR, user consent is another fundamental legal rule. Your business must obtain a user's consent to use cookies unless limited exceptions apply (for example, if the cookies are essential to providing a service over the internet). However, a cookie policy is not the correct way for you to seek user consent to allow the use of cookies.

To comply with the strict rules under PECR, user consent to use cookies must be 'clear, freely given, specific, uninformed and unambiguous'. As a website deploying cookies, you must demonstrate that users consented to this high standard. Your users must take an active step to prove they agree to use most cookies.

As such, it is a severe mistake for a cookie policy to state that the user 'consents' to the use of cookies. You will need a separate, valid consent mechanism to allow users to control their preferences and consent to use the cookies. For instance, many businesses display a 'cookie banner' which users must click on to opt into specific types of cookies to demonstrate their consent to using cookies.

Cookie consent is a challenging topic, and if in doubt, you should seek legal advice about this.

Ensure Your Cookie Policy Is Up to Date

Ensuring that your cookie policy is entirely up to date is essential. Preparing a cookie policy at one stage (for instance, at the start-up stage) and then forgetting about it is a grave mistake. Websites are often updated and may start to deploy additional cookies over time.

For example, a simple, basic website can experience a redesign to deploy further analytics cookies to track website performance.

The UK ICO (the data protection regulator) has issued clear guidance on the changing use of cookies. It is essential to ensure that you inform relevant users of the introduction of new cookies or changes to the use of cookies. Users need to be notified of such changes so that they can decide which cookies they allow you to use.

As such, you should regularly review and update your cookie policy and ensure it is current.

Why Does This Matter?

In recent times, regulators have been scrutinising cookie use more closely. The UK ICO has taken enforcement action against businesses for failing to comply with the relevant legal rules.

Breaches of PECR can have various negative consequences for businesses. For instance, companies can be fined up to £500,000. As such, it is vital to ensure that your business complies with these rules, that your cookie policy is compliant, and that you avoid the above-mentioned mistakes.

Cookie law rules can seem complicated and daunting to navigate. If you require support with understanding the rules and ensuring your website cookie policy is compliant, you can work with a data protection solicitor to help you comply with them.

Key Takeaways

In today's digital world, most websites use some form of cookies. Unless limited exceptions apply, a website using cookies will likely need a cookie policy.

Strict legal requirements apply when using cookies due to the legal rules under the PECR regime. Businesses can often make severe mistakes in their cookie policies – for instance, by failing to correctly set out information about all the cookies used on their websites. Avoiding these mistakes and ensuring your cookie policy is carefully drafted and compliant with the PECR rules is essential.