Website cookies: Why your website needs an update to abide by UK law
Aug 27, 2021
As you browse the Web, you've probably seen countless requests to "accept cookies." Sometimes, there are even multiple options to choose how you share your information. Websites have been requesting cookies since nearly the dawn of the Web itself, but recently, data privacy laws have required webmasters to inform users when doing so.
In the UK, the Privacy and Electronics Communications Regulation (PECR) now applies in addition to the General Data Protection Regulation (GDPR). This means that even if you've been alerting users about cookies, your website may not be compliant — and you could find yourself subject to penalties. Read on to learn more about current cookie policies and how to comply with PECR.
What are website cookies?
First, let's go over the basics. Cookies are pieces of information that a website asks users to store in their browser. They are used to collect data for Google Analytics, connect to social networks, or even track the user's activity to show them relevant ads at a later time. They also store users' preferences, such as for how a site appears to them, whether they'd like to stay logged into their account, or which items are in their virtual shopping cart, if applicable.
Unfortunately, almost all of those are considered non-essential cookies. Under PECR, this means that webmasters cannot assume that users consent to cookies. In fact, the law says that users must actively opt into accepting cookies, and there must be a noticeable UI element or pop-up asking users to make a choice.
What were the rules before?
Previous guidance allowed webmasters to inform users about cookies after the fact, i.e., the website would place cookies for Google Analytics, shopping cart recovery, and so on, then display a generic message such as "By continuing to use this website, you consent to our use of cookies." This practice was largely based on the GDPR, which treats cookies as a personal identifier and focuses on how that information is stored and used, e.g., in retargeting campaigns. Most websites were technically compliant even if they placed Facebook tracking pixels, social media buttons, and other elements that collected users' information without consent.
What has changed?
PECR, however, changed the game by requiring all websites to explicitly ask users to accept cookies, rather than placing them first and asking later. The new focus on consent removes any possibility for assuming your users will interact with your site a certain way. Here's a brief summary of what's changed:
- You should still have cookie consent pop-ups, but now, they must precede before you can place any cookies in the user's browser.
- You cannot use tracking pixels or analytics plugins until someone has consented. Those scripts cannot even load prior to that.
- Consent pop-ups must not lead users toward a certain choice. You cannot make the "Accept" button bigger than the "Decline" button, force users to accept all cookies at once, or even have the "Accept" choice be the default option.
- You cannot assume that users will rely on their browser settings to avoid cookies as many users don't know how to do this.
- You cannot block users from your website if they opt-out, except for essential cookies (e.g., for logging into their account or checking out a purchase).
- All consent pop-ups must meet other standards of accessibility. For example, a cookie opt-in that blocks use of the site or that does not render on mobile is not compliant.
What do I need to do?
It is no longer sufficient to place a generic pop-up on your website. Rather than informing your website's visitors that you use cookies, you must now ask for their informed consent first — and allow them to choose their preferred options. This means your site must work whether or not users have opted in (excluding essential functions such as placing an order or logging into an account). For example, if visitors don't opt into the use of their information to show them relevant Facebook content, the "likebox" element on your page cannot load. In other words, the function and appearance of your website must follow from your users' consent rather than assuming they've given it to you.
As this can be a challenging task, it's a good idea to contact your web developer and ask them to update your site. They can configure your site to only place cookies and include/exclude various page elements depending on users' choices. It's worth noting that most users simply dismiss pop-ups, or they won't opt-in without a good reason. This means that your Google Analytics may not collect sufficient data, and your retargeting campaigns will cease working. Talk with your UI designer about creating an informative consent page that encourages users to opt-in without forcing them to do so.
With careful collaboration among your designer, developer, and webmaster, you should be able to achieve compliance whilst maintaining your marketing endeavours.
For expert assistance, please get in touch with The Creation Lab and we'll be happy to discuss your options.
What happens if I don't update my website?
It may be tempting to assume that you can carry on with your regular cookie popup — or none at all. However, PECR does trump GDPR regulations, and the relevant authority, the Information Commissioner's Office, has already handed out hefty fines to non-PECR-compliant websites to the tune of £99m and £183m. In short, they take data privacy quite seriously, and so should you.
While it's impossible to predict how consumers will react, it makes sense to assume that most users may eventually become wary of sites that don't have the explicit cookie opt-in with multiple choices. Also, sites that offer a poor UX, whether due to improper cookie screens or missing elements, will likely suffer a poor reputation. It's reasonable to expect that investing in PECR-compliant web development is crucial to continued success on the web, even if you avoid the legal fines.
In sum, take the time now to implement fully informed consent on your site and avoid default cookie-setting and "after the fact" notices. Time and the law are on your side.