[GDPR] Your Website and Cookies

GDPR and Cookies

It’s hard not to get technical when talking about the General Data Protection Regulation (GPPR), as much as I try when explaining to clients I always worry that I’ve lost them down the rabbit hole of detail. 

With that in mind, one of the questions I’ve most often asked about (just after the use of mailing lists) is about the use of cookies on websites. Generally, website owners all want to know the same;

  • What is the minimum I can get away with?
  • Does Google Analytics really fall into it? 
  • But does analytics fall under it for me? 
  • I need to see how my visitors use the website, am I except because the analytics data is essential to me?

There are very few businesses out there where the moral lead given by GDPR (such as privacy always coming first) takes place 100% of the time. To have privacy come ahead of commercials, ahead of marketing and ahead of everything you do will cost you time, money and potential business. What we have to remember is that for these businesses it has been a way of life since the first sale and a lot of assumptions on top of assumptions have taken place as they’ve grown to leave them with a perfected system with privacy as an afterthought (if that).

Tracking your customers, the use of third-party services and cookies are a whole are one of the most awkward public-facing privacy elements you’ll need to deal with, let us start with the basics.

What are Cookies?

Cookies have been in use by websites and digital services for over 20 years. In their most basic form, they are a physical file that the browser will place onto your computer which is named or made up of a unique identifier among other details which the website will then look and detect this cookie to identify you when you browse between different pages or if you leave the website and come back another day.

Cookies might be used to track you as a customer for personalisation, so the website knows who you are when you return to the website to make logging in and purchasing easier. Cookies could also be used to track and analyse you browsing around a website or multiple websites for use with advertisers to define what products or services might interest you. 

Cookies can last for seconds or cookies can last until you delete them, there is no set standard and Cookies don’t always belong to the website that you are accessing. For example, if you browse a website that has a video from YouTube embedded then you will also have Cookies from Youtube set on your computer which are used to track how much of a video you’ve watched or to help personalise your ‘recommended videos’. 

Cookies should never be seen as the bad guy or a kind of dark technology they provide a very important feature but it’s important that you understand exactly what Cookies your website and the third parties that you use set for your customers and why they are needed.

What is the Cookie Law?

Let us be clear now from the start there is no set law called the ‘Cookie Law’ or the ‘EU Cookie Law’. It does get a little confusing so it’s best to start from the beginning with some honest commentary.

The First Cookie Law

Back in 2011, an amendment was made to the Privacy and Electronic Communications Regulation (PECR) which provided a directive applicable to Cookies (If you like the technical detail you can read the entire 26-page directive here). The idea at the time was that despite Cookies being in use for quite some time the general public had no idea what they were, The amendment was meant to provide the basics of transparency to website visitors for companies to alert them to the fact cookies were going to be set and to provide a basic explanation to why.

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;”

The idea of transparency was beautiful, in practice, however, the 2011 amendment didn’t hold any ground. There was no fine or legal hold over making sure it was done. The advice was confusing ranging from an initial you must ask peoples permission before any cookie is used on your website to a basic ‘tell people you use cookies, somewhere’ just 2 years later. 

From businesses point of view, only a small amount published a cookie bar that disabled cookies on a website, When I was asked, I recommended a ‘Cookie Bar’ to the clients I worked with but very few took that advice and those that did very quickly wanted it removed as soon as customers started opting out and their Analytics and other tracking tools suddenly stopped reporting and their strategies fell by the road-side.

The Second Cookie Law

I know I said there wasn’t a Cookie Law but it’s a lot easier to reference it as something. GDPR brought back the ‘Cookie Law’ (I feel the need to say again that it’s not a named law) with a vengeance. 

GDPR essentially says if it’s personally identifiable information (PII) that you’re tracking then you need a legally defined purpose for doing so, a purpose all neatly lined up ahead of time and ready for inspection. The easiest is of course just asking people for consent which means you need to transparently and in easy to understand terms explain exactly what your Cookies are and what they are doing on your website, and because consent means asking and people can say no (in fact you can’t assume a Yes, someone ignoring you doesn’t give you consent) it means that you need to be able to handle those that say No. 

While we’re now only a few months into GDPR being enforceable law I’m expecting the importance and legality of this to outlast the first generation Cookie Law attempt to make waves and last. The big why on this is that if you don’t put this in place if you don’t provide a transparent and easy to use the explanation that allows for customers to remove permission or provide consent then under the GDPR you’re using data for which you don’t have permission or legal purpose, most commonly known as a fineable Data Breach.

I don’t believe in creating drama or scare tactics to drive people towards making a change and there are a lot of websites and blogs – The Law says that depending on the type of Data Breach (including the size of the misuse in both detail of PII and number of affected) then you can be expecting a fine up to 2%/4% or 10 Million/20 Million euros. But I don’t like financial side of the care mongering – The ICO themselves have said that they are more about helping people understand and get things fixed, oh and the power of naming and shaming offenders. You can guarantee that if the ICO put out a statement about your breach then your customers won’t be queueing up (Even the big suffer, just take a look at the share price drop on that took Mark Zuckerberg from the 3rd richest person to the 6th or a drop of worth of $16 billion).

Enough of the data, what do I need to do?

I won’t be surprised or hurt if you’ve skipped to this section. At the end of the day, there’s no point looking at the details of the law when you already know you need to do something, you just want to know what.

First things first, What do you already know; do you already have a list of all of the cookies your website uses? Do you have any idea what third-party services you’re using that might set one? 

If your website isn’t brand new and has been at the hands of your team for many years then there’s a high chance you’ve lost track of what Cookies are stored already, hell I wouldn’t blame you for following the philosophy of as long as it’s working and converting then not to question it. 

If you have a login on your website, or if you have Google Analytics, perhaps even call tracking software as part of a lead generation plan from your sales team or a commercial video of your latest product from YouTube then you have cookies being set. 

without a shadow of a doubt, what you need to start with is a Cookie Audit. You need to understand exactly what Cookies and third-party software your website is using. If you’re more technical than you can use nothing more than a web browser, for the less tech-savvy you can either ask your web developer or you can use one of the many free and paid tools that have appeared over the last year like Cookiebot.

What about Google Analytics?

If used correctly then out of the box, Google Analytics is or can very easily be GDPR compliant. It’s better, to be honest, and upfront – It’s not that easy there are plenty of pitfalls and traps after all analytics is only going to be as GDPR compliant as the data you send it and the other services Google links with.

You might not be able to answer these questions but your web developer can or if you have an SEO or PPC manager then they will be able to as well (if you’re a client of ours just ask!).

  1. Do any of your website URLs contain any PII?
    Perhaps your forgotten email system carries the email in post data, Or perhaps your order confirmation URL structure includes a customers order number.
  2. What about any of your custom dimensions?
  3. Do you have geolocation turned on?
    To work out geolocation you transmit a users IP to Google, You’ll need to turn this off or use Googles IP anonymisation to get around this (and it’s best to still declare it’s happening to your visitors).
  4. Do you use the User-ID Feature?
  5. Do you use Advanced Marketing Tools?
    This would include data collection for advertising features, remarketing etc (This would be treated the same as if you put a Facebook tracking pixel in or any other for marketing purposes).
  6. Do you actually know why you use Google analytics?
    It’s hard/impossible to defend that you were using Google analytics lawfully and that why it doesn’t contain any PII if you can’t actually define why you use Google Analytics in the first place. What metrics is it that you review and why?

There is no middle ground on this if you answered yes to any of 1-5 then you should be asking for explicit (You can’t assume!) consent from your customers as soon as they visit your website including offering them a chance to change their mind in the future (e.g. revoking consent). You should also as part of your Cookie Policy provide a full list of the Cookies you are using, what information is stored and why you are using them. 

What about Google Adwords?

Compared to Google Analytics, Adwords is simple. If you’re using personalised ads (which is the default and the by far better converting) then It falls under GDPR. Google themselves have declared this as part of their own ad policies.

“To comply, we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users. 

In short, if on your website or as part of your services with Google Adwords you take advantage of their personalised ads (including remarketing) then you need to ask for explicit consent from your customers as soon as they visit your website. Even if you don’t then the use of Cookies needs to be explained to your visitors as part of your Cookie Policy.

So what do I actually need to do?

As far as the minimum for the Law is concerned, if after reading the above (You use the advanced features of Analytics, Transmit PII to Google or use the audience targeting and remarketing elements of Google Adwords, Facebook ads etc) then you need to get consent from every visitor to your website. This can be broken down into the following 4 things.

  1. Add a disclosure notice to new users of your website.
    You’ve probably already seen plenty of these, from the BBC, the Times, The Information Commissioners office. They all have them. They consist of either of a bar at the top or bottom of the page, in some cases, they’re a little more obvious such as a pop-up or a whole page ‘gateway’ that you have to accept before being able to access the website. The notice will normally have a short description that declares the website uses Cookies and will follow up with a link to policy, check Cookie settings or to accept.
  2. You should break down your cookies into easy to understand categories such as;
    1. Essential – That your website can’t operate without,
    2. Analytical – for services you use to track use of the website,
    3. Advertising – for the likes of Google Adwords, Facebook ads or similar.
  3. Provide a panel for customers to manage and opt-in/opt-out to different categories of Cookie. 
  4. Provide a link for more information such as to your full cookie and privacy policies

All four are jobs for whoever manages your website such as your digital partner or web developer. You will have to help with number four as you’ll need to put together or supply your privacy policy and help (once you know all of the Cookie you use) 

My view is that it doesn’t matter if you require consent or not, the best route is transparency and that is to display a bar and give the customer to option on cookies, the use of Analytics and Adwords. 

The thing is that I’m not a marketer, I’m a data protection officer (DPO) with a mixed technical background in cloud servers / PHP development and client services. This means that the idea of losing 90% of analytics traffic isn’t as important to me as it would be a member of our Marketing team, or as important as not having personalised ads to our sales team. 

If you’re DPO like me then you need to remain impartial and weigh up the needs of your company to the privacy needs of the user and make sure you mitigate or remove as much of the risk that you might breach their rights as possible. You need to make sure you stand your ground and offer the best advice, finding compromise wherever possible but life will never be the same post-GDPR as it was before.