Cookies — tasty treat or nefarious data gatherers?

website cookies and data protection

What are website cookies and how are they used?

Cookies — either a tasty little treat or …. data generated by a website and saved by your web browser to make the website work properly and/or remember information about you.  I’m fond of the first but dislike many of the second.

Here’s a recent example of a cookie pop-up that isn’t compliant with the law. So what’s wrong with it?

(I’ve redacted the name of the company — it’s not fair to ‘name and shame’ even though they should know better.)


When should I not accept cookies?

This is what’s wrong:

1. Functional cookies (the ones that are required to make the website work) don’t require consent. All other cookies require consent. You should ask the user if they consent to or decline your cookies and not set any non-functional cookies without consent.

2. Cookies that ‘enhance your browsing experience’ are not functional cookies and require consent from the user before they can be set.

3. ‘Continued use of this website indicates that you accept this policy’ isn’t appropriate. You can’t show consent if you only provide information about cookies as part of a privacy policy that is unavailable. In addition, you can’t set non-functional cookies before the user has agreed to them. Consent must be a clear and deliberate action — simply continuing to use the website isn’t consent.

4. The ‘policy’ link was broken.


How do businesses use cookies to track you?

Continuing on my ‘cookie’ theme… the Telegraph has over 150 ‘partners’ who are putting cookies on your device and saying that it’s their ‘legitimate interest’ to do so.

You will recognise a few of these, like eBay, Google and Facebook, but likely won’t have heard of the rest. The first photo is an example of the diverse venders and the second shows what one of these cookies does, including measuring its ad performance using your precise geolocation (which is personal data).

These partners should be getting your consent to set cookies — they can’t rely on legitimate interest. You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given. There is an exception for cookies that are essential to provide an online service. All this is set out in Regulation 6 of PECR.

Here are the morals of the story —
1. Don’t agree to cookies. Go and turn them off. Yes it’s a pain and is time consuming but it’s worth it.
2. Know the law on cookies and other technologies.



Fancy a chat about cookies and data protection? Talk to the team at Sapphire – Data Protection Consultants

We’re here to help, every step of the way so contact us and Book a free consultation today!

Share This

Share this post with your friends!

Share This

Share this post with your friends!