Initially the legislation was interpreted in multiple ways, depending on how much risk a business chose to take. Some businesses used a default opt-in policy, meaning that cookies would not be placed on users’ browsers unless explicitly permitted. Others used a default opt-out policy, meaning that cookies are placed on users’ browsers until they turn them off.
We are now finding a movement towards the strongest interpretation of the legislation, where companies are following the opt in model.
We are also finding some of our advertising partners are taking a strong stance on ensuring that opt in is followed before advertising activities are allowed.
You will no doubt have noticed the rise of cookie pop ups since the UK GDPR regulation came into force and how these pop ups have evolved to provide more control to users around which cookies they enable, and therefore which personal data they share.
Essential vs Non-Essential Cookies
Cookies can be defined by two broad categories: those that are essential for the site to function correctly and those that are non-essential.
Essential cookies are ones in which the website will not function without them being used. These would include essential cookies like the ones set when logging in to a website, without which it wouldn’t be possible to login.
Non-essential cookies are ones where the site will function perfectly fine without them. These include cookies like Google Analytics, and advertising cookies.
What is the difference between opt in and opt out?
The opt-in method is where non-essential cookies are not set when the website first loads, and the user can choose to accept to use the cookies.
The opt-out method is where non-essential cookies are set when the website first loads, and the user can opt out.
The UK GDPR regulation is clear: users must not have any non-essential cookies set without them opting in to these cookies.
The Challenge for Marketers
As marketers, we have become reliant on the sharing of personal data for such purposes as measurement through Google Analytics or remarketing advertising. The Age of Privacy is putting more control back in users hands, so this naturally poses a challenge for traditional marketing methods.
For example, users may choose to opt out from all measurement cookies, which would mean that Google Analytics data cannot be captured for these users, giving an incomplete sample of website usage data.
Hallam’s Recommendation
In order to ensure compliance with the UK GDPR regulation, provide users the level of choice of cookies and data sharing that they expect in the Age of Privacy, and ensure that we are able to continue using advertising platforms with a strict policy on cookie compliance, we recommend the following approach.
A balance must be struck to allow users who don’t need the control over cookies to quickly proceed with using the website and avoid frustration on the one hand and provide options for those who do wish to control cookies on the other.
- On their first visit to your website, users should encounter a blocking pop up which makes it clear what cookies you would like to use.
- The user should not be able to interact with the website until action has been taken and cookies should not be created until the user has made a choice.
- The pop up should provide a link to your cookie policy and also clearly provide options for users to opt in to non-essential cookies.
- Two calls to action should be provided. See figure 1 as an example of good practice.
- The first view of the modal should provide a clear “Accept” call to action which provides opt in and setting of all cookies.
- A secondary call to action which allows users to pick which cookies they prefer.
- For non-essential cookies, we recommend categorising them under different categories, such as Performance, Measurement, Advertising and any other relevant categories. See Figure 2 as an example of how the RHS handle this and good practice.
- Your cookie policy should contain a list of cookies and their purpose. The ICO’s own Cookie Policy is a good example to follow.