2023 Ultimate Guide To Website Cookies
When visiting a website, more often than not, you are presented with the option of accepting cookies before you are able to browse what it is you are looking for. In 2011, changes in UK and EU legislation made it a legal requirement for websites to implement the ePrivacy Directive, when obtaining user content for the purpose of cookies.
As a result, most users will be all too familiar with those rather annoying pop-ups that appear saying “please select your cookie preferences”. But what exactly are cookies, and why is it important that site owners understand them better?
In this article we will cover:
- What are web cookies?
- Why do website owners need to know about cookies?
- How do cookies work?
- Different types of cookies
- The importance of obtaining “consent”
- The importance of using the correct design approach to cookie consent banners
- Can you use “legitimate interests” as justification for installing cookies on a device?
- Are cookies “bad”?
- How long do, or should, cookies last before they expire?
- Do I need to have a cookie policy on my website or app?
What are web cookies?
Web cookies are small blocks of unique data that are stored on your device or computer when you visit a website. If you have ever ticked “Remember me” on a login form for example, your preference would have been saved in a cookie.
They are a fundamental part of using the internet and range from essential cookies which are required for sites to function, to optional cookies which can enhance the user experience.
Why do website owners need to know about cookies?
Quite simply, website owners have a legal obligation (as per the Privacy and Electronic Communications Regulations (PECR). Regulation 6) to comply with various legislation in relation to cookie usage, both here in the UK and potentially internationally. If it does not comply the company’s reputation of being a trusted, reliable service and its brand image becomes tainted. Companies must show they care about each of their user’s data. Additionally, it adds great value to the company if they are aware of how it can benefit them. Cookies can provide a better, more personalised experience, ultimately leading to more conversions. It further improves the analytics of the business, adding growth to its success.
Website owners, as the Data Controller, must also ensure that their cookies must comply with the Privacy and Electronic Communications Regulations (PECR).
They govern the use of cookies, covering areas such as:
- Electronic marketing (texts, calls, emails)
- The use of cookies to track user behaviour
- Security of online communications
- Privacy of customers using the communications services
Failing to use the appropriate cookies and legal requirements for your website can result in a violation of PECR, and GDPR if cookie consent is invalid, leading to a fine.
Just as data protection legislation varies around the world, as websites and apps are used globally, cookie requirements must be considered. This is particularly essential if you have country localised websites. An example of this is if you were to operate a website that adapts its content and preferences to its audience, depending on the country. Referencing Two Birds Global Cookie Review, a cookie that is placed without consent in the UK is a cause for concern, yet it poses a “lower risk” if it is placed in the country of Hungary.
How do cookies work?
Web cookies serve as a communication channel between a web server and your web browser. A step-by-step example of how they work can be found below:
- The user visits a website on a digital device (phone, tablet, laptop, computer) by using a web browser
- When you first land on a web page that uses cookies, you should be presented with an option to accept, decline or set your preferences in relation to cookies. This is normally managed by a dedicated cookie tool
- If accepted, a cookie is formed or updated to store a small file on the user’s device. This contains a name-value pair (e.g a user id and a preference)
- Cookies keep track of information such as login status and browsing history
- When the user exits the website and then returns at a different time, the cookie remembers the preferences and history from the last visit
Different types of cookies
Cookies can serve different purposes depending on what needs to be achieved. For example, some are essential in order for a website or app to function correctly, or collect analytics data which can help improve site security or be used by marketing teams. Let’s take a closer look at each below
Types of cookies include:
Essential cookies: a cookie that is required for the website to function. An example would be a cookie which is used to store any items you have added to your online shopping cart.
Analytic cookies: sometimes also referred to as “performance cookies” or “statistical cookies”, these cookies share data with analytical tools such as Google Analytics and provide technical and marketing teams with a wealth of data ranging from how users arrive at the website, what pages are typically viewed, whether they made a purchase, whether they’ve made repeat visits to the website, and more. Not having the ability to use analytic cookies has a significant negative impact for most marketing teams, but that’s a discussion for another time!
Functional cookies: offers users the ability to use the website’s features, such as country preferences which are not essential for the site to function
Marketing cookies: often from third party companies, they are applied to target advertising to the user based on their behaviour
Magic cookies: this is just another name for “cookies” and isn’t term which is actually used very often
Session cookies: session cookies only persist whilst the web browser or app is open. As soon as the website or app is closed, the session cookies are deleted. Therefore, session cookies are typically used where you only need to store data temporarily for that user’s current session. All other cookies are called “persistent cookies”
Persistent cookies: persistent cookies persist across user visits until such a time as they either expire, or the user updates their preferences to update or delete them. With the exception of session cookies above, most cookies fall into the category of persistent cookies
First-party cookies: cookies that are from the website the user has directly visited
Third party cookies: cookies which are set by and share data with a third-party. These are most often associated with ads, and are therefore often referred to as “targeting cookies”, but strictly speaking third-party cookies are not limited to marketing alone
The importance of obtaining “consent”
It is really important that a user grants their consent before you store any non-essential cookie on their device. This requires the user to perform a “positive action” such as clicking a button to allow cookies to be saved on your device. In the UK, you are not allowed to block access to a website or app purely because a user has withheld their consent to non-essential cookies.
Similarly you cannot use “passive consent” such as displaying a message stating “By continuing to use this website, you consent to us using cookies”
Many websites use third-party cookie management tools to help provide both the cookie management capability, and to ensure compliance. Each has their own way to display cookie preference options.
The following are the most common approaches to rendering cookie consent banners:
-
a very simple cookie consent pop-up with the option to just “accept” or “decline” all cookies.
Here’s an example from Facebook
Surprisingly given the size of Facebook, this approach isn’t compliant with the PECR and as the ICO are planning to crack down on non-compliance, could result in Facebook receiving a reprimand.
-
A moderately simple consent banner which allows you to specify your preference for different types of cookies such as functional cookies, performance (analytics) cookies, marketing (retargeting) cookies, etc.
Here is an example from Wiley publishing:
This would be our recommended approach as it provides a nice balance between being easy to understand, quick to use, yet also provides users with control over specific cookie types.
-
Some sites display a cookie banner with options pre-ticked, and the user only has to click a button that confirms all of the options. This is not allowed under the legislation, and yet it’s still sadly commonplace and even used by big-name brands who really should know better!
Here is an example from the Daily Mail:
-
In addition, some sites pre-tick all “vendors” without a clear or obvious way to untick each. Here is another example from the Daily Mail.
Notice how the “Allow all” button is green and prominent, yet the “All off” option is hardly visible. (In case you’re struggling to find it, it’s just above the first green toggle button, but in a very small and light grey font. Arguably this also wouldn’t comply with UK accessibility legislation, but that’s a whole different topic!)
If you are unable to find the “all off” option you may try to opt-out of each. Unfortunately, that isn’t easy as at the time of writing, there are over 1,430 companies listed!
If you’re unsure of which approach to use, why not book onto our Cookie compliance for websites and apps training course.
The importance of using the correct design approach to cookie consent banners
For too long sites have been free to choose which approach they use without much fear of reprimands from the ICO. However, that is set to change.
The ICO have recently announced that going forward, the ICO will be assessing cookie banners of high profile sites within the UK and taking action where harmful design is affecting users.
They will be clamping down especially on sites which have designed their cookie consent banner which puts the needs of the site owner above the needs of the Data Subject. Some examples of the type of things they will be checking for include:
- Using language to imply there’s a wrong choice (e.g. “By not accepting cookies, you may not get the full benefits of this site and could be missing out” etc)
- Using colours to imply a right or wrong choice (e.g. using a green “Accept cookies” button - See the Daily Mail example above - the options to accept cookies or reject cookies should be neutral)
- Unclear toggle options (e.g. some sites use grey both for when the toggle is to the left, and when the toggle is to the right, and don’t provide a way of knowing whether you’ve set your preferences to accept or reject)
- Using other design approaches to distort users choices (e.g. making “Reject all” or “All off” text hard to find - see the Daily Mail example above)
Can you use “legitimate interests” as justification for installing cookies on a device?
If consent is needed to place cookies, it must meet the UK GDPR standard. However, you are allowed to install “essential” cookies without consent.
Some examples of essential cookies include:
- User Input - If your online service uses a session cookie to track user input for specific functions of your service (e.g., a shopping basket or completing a form)
- Authentication - First-party cookies used for security purposes can rely on the strictly necessary exemption; for example, cookies used to detect repeated failed login attempts
All other types of cookies require consent including third-party cookies.
In fact, the blocking of third party cookies has presented a significant headache for the advertising industry and website owners for years as third-party cookies have traditionally been used by tools such as Google Analytics. Safari and Firefox browsers were the first to block third-party cookies by default but eventually Google had to admit defeat and will stop the use of third-party cookies in Chrome by the end of 2023.
As a result, the industry as a whole has had to look for other ways to provide (for example) analytics data without relying on third party cookies such as Google’s “FloC” (Federated Learning of Cohorts), but even that faced controversy and has been replaced.
How do cookie tools work?
By processing a quick scan, cookie tools identify what cookies your website is setting.
The method of how the tools work are as follows:
- Implement a cookie consent banner: a pop-up based box that appears at the bottom or centrally on the user’s page when they visit the website, making them aware that the site uses cookies and asking them to select their preferences. Provide concise information about the purpose of the cookies.
- Create preferential settings: generate options for the user to enable or disable types of cookies, such as analytical or marketing.
- Store the preference information: once the user has completed the type of cookies that they wish to enable or disable, store this information securely in the browser cookie, or onto the server.
- Observe the changes: monitor the user’s preferences and update any cookie settings that are required. In the event that a user changes their preferences on the website, update the cookie settings accordingly for their next visit.
These steps must be followed in compliance with the PECR and the UK GDPR.
Are cookies “bad”?
Cookies do not harm a website or the user’s device. That said, it is possible for hackers to find an opportunity to hijack cookies and use them for malicious purposes such as accessing browsing sessions, stealing personal data or even activating malware via backdoors. However, the risks in the grand scheme of things are low and cookie information these days is often encrypted for extra security. A more likely risk would be someone visiting a malicious site or using a fake API or app which installs malicious cookies.
How long do, or should, cookies last before they expire?
Depending on the type of cookie, these can last from minutes, to hours, to a year. Website cookies have an upper limit of no more than 400 days. However, the site owner must contemplate if their cookies should, or need, to hold the data for an extended period of time. Are a user’s login credentials necessary to remember in a year’s time? How long should the shopping cart hold their items for? It must provide value to the user as well as the website owner.
Session cookies last based on the amount of time your browser is open. They are deleted when the user closes the browser; or if using an app, exits. Whereas persistent cookies (first-party cookies) carry on with the saved information when the site is closed.
The type of cookies used on a website must comply with data protection guidelines. Cookie consent must be renewed at least once a year, often less than this time.
Do I need to have a cookie policy on my website or app?
Any website that collects the data of a user visiting the site, must have a cookie policy. This can either be a dedicated page, or it can form part of your privacy policy. If your website does not use cookies, a cookie policy is not required.
Access our cookie compliance training course today
To gain more information and understanding about web cookies for websites and apps, access our cookie compliance training course today.