Recent research has shown that upwards of 80% of European websites don’t comply with current data protection laws in respect of cookie protection and usage issues. Privacy policy failure rates are marginally better.
This figure is staggering, yet unsurprising. According to their recent press release, even the ICO seems to have been waylaid in the minefield of website compliance to-date. A website is often the first impression a customer has of a business – the shop window into your organisation’s goods or services. It also represents your approach to data protection, so why leave it broken?
Glass-shattering cookies
The ICO’s recent update to their guidance on cookies has come as a surprise.
The biggest change to highlight is the requirement that your landing page must only have ‘necessary’ cookies in operation. If you run ‘analytical’ or any ‘non-essential’ cookies, they must be deactivated unless and until the user provides positive consent, via a mechanism that the data subject controls. That control is solely to permit the operation of ‘analytical’/’non-essential’ cookies. Even the ICO’s website previously fell short of this guidance.
Consent is necessary for all ‘non-essential’ cookies – they should not be pre-enabled and pre-ticked boxes or equivalents cannot be used to give consent for ‘non-essential’ cookies. Your users must have control over the acceptance of all ‘non-essential’ cookies. However, consent is not required for cookies that are essential to providing the service requested by the user (note the use of essential rather than helpful or convenient).
The ICO has not given definitive guidance on the use of cookie walls, however, it considers it unlikely that blanket statements will be capable of providing positive consent. That means statements such as “by continuing to use this website, you are consenting to the use of our cookies” are now likely to be considered insufficient. The ICO’s recent blog post (Cookies – what does ‘good’ look like?) states that more guidance is to follow. It is also unlikely that you can incentivise acceptance.
Fix the window and clean the glass
In many ways, the new guidance will make it easier for organisations to fit and frame their policies correctly the first time: the information provided in your privacy policy must be visible, clear and simple, including information about the cookies you are using.
The ICO has said that when it comes to your privacy policy it must be easy to read and simple to understand. Even if you provide all the details of your processing relating to personal information, you may still fail to meet the transparency requirements if your policy and notice are not succinct and user-friendly.
Before diving-in, you should also consider whether you need to conduct a cookie audit to identify the cookies you use, their purposes, the information collected, their nature, whether your consent mechanism allows users to control their settings, etc. in preparation for your new or updated policies.
Dress your window accordingly
At the heart of this change in interpretation is the requirement to be honest about what you do and don’t do with personal data. How are you going to achieve compliance and bring cookies to your users’ attention? Some things to consider are:
- User experience and the platforms on which your users will be accessing your website. Will the privacy/cookie notice that is appropriate on a desktop or laptop device have the same visibility and legibility on a mobile device?
- Keeping it simple and effective. When seeking to keep your policy simple, it may be appropriate to provide a link to additional information or a contact number for your data protection lead, where a more in-depth explanation can be obtained about the more complicated areas of processing you undertake.
- Clarity for children. If you are processing children’s data, you must ensure that your privacy policy is written or provided in such a way that a child (or a member of your target audience) can easily understand the content and their rights in respect of the data you process.
Shop maintenance
You should review your data protection policies regularly.
We can help you to comply with the requirements under data protection legislation by offering support and guidance through this process and have a selection of fixed and flexible priced options including template compliance guidance to drafting bespoke policies.