Is your website handling cookie consent correctly?

It’s five years now since GDPR came into force but many organisations are still struggling to ensure that their websites are compliant. In particular, there’s a lack of clarity regarding what’s required in terms of cookie consent and many websites that think they are compliant only to discover that they are not.

Firstly, what are you legally obliged to do?

The law requires that you do three things.

• Tell people the cookies are there
• Explain what the cookies are doing and why
• Get the person’s consent to store a cookie on their device (before you store it!)

In order to comply with these requirements you should have a cookie policy document on your website that tells people what cookies are on your site and explains what they’re doing and why. Here’s a link to the Information Commissioner’s website which gives much more detailed guidance on how this policy should be formulated, but the key wording is this:

“You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.”

Therefore best practice is to have a separate cookie policy document (not just an addendum to your privacy policy) and to provide people with a clear and easy to find link to that policy at the point at which you’re asking them if they consent (or not) to cookies being downloaded.

Does this apply to all cookies?

There are a few narrowly defined exemptions to the consent requirement. Again, there’s more information about this on the ICO’s website. You do not need consent for cookies that are essential to the functioning of your website. This is a very narrow category and might including things like cookies that track whether or not people are logged into the website or enable visitors to add something to a shopping basket. Most cookies are not exempt. If you’re using anything like Google Analytics or a Facebook Pixel or any other kind of cookie that tracks user behaviour in any way then you definitely need users to conset before you can set the cookie.

What counts as consent?

The Information Commissioner defines consent as follows:-

“To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent….You cannot set non-essential cookies on your website’s homepage before the user has consented to them.”  

This last sentence is particularly important. We have come across several examples recently of websites which either don’t have any cookie consent functionality at all or which have a cookie consent pop up that doesn’t actually do anything – cookies are still being downloaded before the user has consented via the popup. This is particularly problematic as it means you may think your website is compliant with its legal obligations when in fact it is not.

Just having the cookie popup or banner is not enough – you need to ensure that it is actually doing what it is supposed to do.

Why might your cookie banner not be working properly?

There are a number of reasons why this happens. A lot of cookie consent banners have been added onto websites almost as an afterthought, or implemented without any real understanding of how they work in the background. The banner may have been installed but not configured correctly or not fully tested. Perhaps something updates in the background which means that the banner once worked correctly but does not now. A cookie banner can give you the sense that you’re doing the right thing but actually doing nothing more than asking for the user’s preference and then completely ignoring it. It is really worth testing that your cookie banner works correctly and fixing any problems with it now rather than waiting until you get a complaint, perhaps from a privacy activists who is on the lookout for sites that are not compliant with cookie legislation (as happened to one company we know of recently).

How to test if your cookie consent is working

It is relatively simple to check if your site is setting non-essential cookies before the visitor gives their consent. If you use a Chrome-based browser then you can look to see what cookies have been created and see when they are deployed, prior to consent or post consent.

1. Open an incognito browser window

To do this in Chrome go to the three dots in the top right hand corner of the browser and click on them. On the drop down you then see there’s an option to open a new incognito window. Select that option.

2. Open the developer console

To do this right click anywhere on the empty browser page and select Inspect from the options. This will open the developer console.

3. Open the Application tab

You’ll see a selection of tabs. Click on the Application tab – don’t worry about any of the others. Once you’ve clicked on that you’ll see Cookies as an option down the left hand side.

4. Go to your website

Enter the URL of the website that you want to check in the browser address bar. As your site is loaded you’ll see your web address in the “Cookies” section. Click on there and you’ll see all the cookies that are being downloaded before consent is given. Cookies that are essential for the running of the site are OK at this point so you would not expect this list to be completely blank. However you definitely would not want to see the Facebook Pixel or Google Analytics tracking cookies or anything of that nature being set at this stage.

Once you have checked the initial list of cookies then you should click that you are happy to consent to cookies being deployed. When you click the option to give consent you should see more cookies being set and things like Google Analytics and other tracking cookies should only be set at this stage after consent is given.

If you look at the screenshot below you will see a couple of cookies with _ga in their name – these are the Google Analytics cookies. The _fbp cookie is the Facebook Pixel cookie.

On this website neither of these types of cookie are deployed until after consent is given so this site is compliant with cookie legislation. If you see anything like this downloaded before you have given consent then your site is definitely not compliant. Your developers should be able to tell you what the other cookies are. If you find that your site is not compliant then you will definitely need to speak to them anyway to ensure that the cookie consent process is amended to ensure non-essential cookies are only downloaded after the consent button is pressed.