March 11, 2024

The Types of Web Cookies and What The Law Says

In recent years cookies have become something that we’re all more aware of. Lots of websites present users with cookie information as soon as they load the website. In this post we talk about the types of web cookies, what to do and what not to do when you set up a cookie banner on your site. You may have seen Cookies make the news recently when Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport, hinted at plans for the future of cookies.

Love it or hate it, website owners need to follow certain rules regarding cookies to ensure users are well informed. If they don’t, they could face formal action from the regulator, the Information Commissioner’s Office (ICO) in the UK. Facing formal action is not an empty threat. Recent fines both Google and Amazon have received from the French Data Protection Authority, the CNIL, prove this.

What is a cookie?

Let’s begin by discussing what a cookie is. When a user goes onto a website, a small text file is downloaded onto their device (known as the ‘terminal equipment’), this is a cookie. Cookies can do various things. They can recognise the device a user is on, analyse website traffic, track browsing behaviour and remember what a user put in their basket.

What are the different types of web cookies?

There are a few different types of cookies, which are known as session, persistent and first or third party.

Session and Persistent Cookies

Whether a cookie is known as a ‘session cookie’ or a ‘persistent cookie’ depends on when they expire. If a cookie expires once the user finishes their browser session, this is a ‘session cookie’. If it continues after a browser has been closed, this is known as a ‘persistent cookie’ as it will stay on the users device after they leave the website.

First and Third Party Cookies

A cookie can also be ‘first-party’ or ‘third-party’. A first-party cookie refers to a cookie set by the website which the user is on, whereas a third-party cookie is set by another website. Third-party cookies could include adverts and images from an external site.

What does the law say?

Website owners need to understand what the law requires of them regarding cookies. The main applicable law in this area is the Privacy and Electronic Communications Regulations, which is known as PECR. PECR requires that website owners must state what cookies there are and what they do. They must also gain the user’s consent to store cookies on their device.

As with lots of laws, it’s not completely black and white, there are exemptions when consent is not required. One of these is the ‘communication’ exemption. This is where the cookies are necessary for the transmission of a communication. The other exemption is the ‘strictly necessary’ exemption which allows the website owner to not gain consent when the cookies are essential to what the user has requested. An example of this is when a user adds items to their online shopping basket.

How do you put the law into practice?

Although the law may seem quite straight forward, putting it into practice can be difficult, not all website owners get it right. Here are a few things to avoid:

1) A pop-up banner or message which is designed for desktop and is difficult for a user on a mobile advice to access.

2) A cookie wall which doesn’t allow access without consenting to the cookies. This consent would not be freely given.

3) Any requests for consent where the ‘accept’ button is more prominent than the ‘reject’ button, or the cookies can only be rejected by clicking on a  ‘more information’ button.

4) Automatically administering cookies to the user’s device before they have had the opportunity to provide consent.

Cookie Banner Poor Example One ICO
Cookie Banner Poor Example Two ICO

Images: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/#comply7

Now we know some things not to do, let’s discuss a suitable way for websites to present their cookie information. When going onto a website for the first time, a user should be greeted with cookie information. This information should explain the different types of cookies, for example Necessary Cookies, Analytics Cookies and Tracking Cookies. Under each heading there should be an explanation of what these do. It should be clear how the user consents or rejects to each of these. For further information for the user, a cookie policy is always a good idea. This should be separate to any terms and conditions or privacy notices.

Summary

If a user can see that a website owner is taking their legal responsibilities seriously and giving the user a real choice about cookies that are stored on their device, this enhances trust and confidence in the website, as well as avoiding formal action from the regulator, which can be as serious as monetary penalties.

If you’d like any assistance with cookies or your cookie policy please contact us or for anything else related have a look at our Data Protection Services.

Georgia Booler
Data Protection Advisor