Having adopted a cookie policy some time ago, many businesses have failed to update their policy to take account of recent legal changes.

If your cookie policy does not already do so, it should include an information notice on cookies, to distinguish between the different types, such as strictly necessary, analytical/performance, functionality, targeting and social media cookies.

Since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force, website owners have needed to provide a clear, comprehensive and visible notice on the use of cookies. The information must be provided at the time and place where and when consent is sought, such as by using a banner or pop-up on the first web page that the user sees.

The necessary information to be provided to a user includes the cookies used and their purposes, whether any third party cookies are to be used, the expiry date of each cookie and information about how to accept all, some or no cookies and how to change preferences in the future.

Given the level of detail required, many cookie policies adopt a layered approach. This involves a pop-up, banner or similar, linked to the cookie policy, with different layers of detail, which is used to provide the information and obtain consent.

One of the important changes is regarding consent. Cookie policies must meet the standard required by the GDPR, which defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her.”

This requirement means that consent mechanisms such as (a) stating that by continuing to use the website, the user will have consented to cookies, (b) relying on pre-existing browser settings, (c) using a pre-ticked consent box or (d) relying on silence or inactivity, will not be valid.

A cookie policy which emphasises “agree” or “allow” over “reject” or “decline” will not be compliant, as it will be seen as influencing users towards acceptance.

Similarly, the use of a cookie wall – which bans access to a website until cookies are accepted – does not amount to a valid consent. A user must still be able to access the website, even if they do not consent to cookies (but you can, of course say that, if certain cookies are not accepted, functionality may be affected).

It is important to note that the consent to the placement of cookies must be obtained before the cookie is placed and before information stored on the user’s device is collected.

Users must be given control over whether they accept non-essential cookies and they should not be placed on the landing pages, until the user has consented to them. Any consent mechanism must also include the means by which the user can withdraw consent at any time.

Website owners must be able to demonstrate that consent was given.

Websites should also give the option for users to accept or reject particular types of cookies, rather than all cookies.

In summary, you should consider the following check list for your cookie policy:
• Audit the cookies used on your website and categorise them
• Are they first or third party cookies
• Are they persistent or sessional
• Use a cookie banner or pop up on your website to give necessary information and to get consent, with a link to your cookie policy
• Ensure you have a mechanism for users to change preferences and withdraw consent
• Keep a record of consent (including who consented, when, what information they were given, how they consented and if consent has been withdrawn).