Cookie Law & The 'Cookieless' World

If you own or operate a website, chances are you’ve heard of Cookie Laws and the importance of compliance. What you might not be aware of is that things are changing. Google has announced that it will officially begin phasing out third-party cookies on its Chrome browser in the second half of 2024. This is a result of consumers becoming more aware of the amount of data that companies are collecting on them. Google and other tech giants are now having to adapt to this change in consumer awareness.

The law and upcoming changes may seem like a complex, ingredient-heavy, world to navigate at first but don’t worry, we are here to guide you through the process.

What are cookies?

At this point we’re confident you know we’re not referring to the sweet treat enjoyed by myself and many in the Eyekiller office. Rather, “cookies”, HTTP cookies, web cookies, browser cookies, or whatever you want to call them, are small data files placed on your device to collect information about your browsing session and activity.

Websites use cookies to run certain features, improve the user experience, and gather data for targeted paid advertising through platforms like Google Ads. They aren’t as tasty as a freshly-baked cookie, but they do play an important role in the functioning of many websites.

Types of cookies

Cookies can be grouped in many ways, but in today’s privacy-focused environment, they are most often described in terms of the “party” that uses them. First and third-party cookies are both used to track behaviour, but there are differences in how they are collected and their intended use can vary.

First-Party Cookies

First-party cookies are generally considered to be the good guys. They are created by the host domain (the site the user is visiting) and they exist to provide a better user experience and keep the session open. This means the browser is able to remember key pieces of information, such as what items you add to shopping carts, your username and password, and language preferences.

Third-Party Cookies

Third-party cookies are like the villain of the cookie world. Created by domains other than the one the user is visiting, third-party cookies are mainly used for online-advertising purposes. They also allow website owners to provide certain additional functionality, like live chats.

Are There No Second-Party Cookies?

These are more accurately referred to as second-party data. This is when one website collects first-party data (using first-party cookies) and then shares it with another company via some sort of partnership. For example, a car manufacturer could share its first-party data with a trusted insurance company to use for targeted marketing campaigns, which would mean the cookies become classed as second-party.

When third-party cookies disappear, we may find data sharing becomes more and more popular as companies seek new methods to target relevant audiences.

How Does a 'Cookieless' World Impact Me?

Ad platforms took advantage of the vast amount of data third-party cookies that they collected and used it to allow businesses to launch and measure hyper-targeted advertising campaigns.

However, many browsers, like Safari, have already started blocking third-party cookies by default and Google Chome's deadline for phasing them out is rapidly approaching. As a result, brands may find their ad data disrupted and advertisers may find it more difficult to measure the effectiveness of campaigns. Optimisation and targeting will also experience significant disruption.

One solution is the use of zero-party data, which is voluntarily provided by consumers through methods such as polls, quizzes, or conversational pop-ups. This data is typically stored on a CRM system, which can then be exported for use in digital marketing and other communications. Zero-party data is generally considered to be of higher quality and more reliable than third-party cookies.

To prepare for the end of third-party cookies, domain owners should first conduct a thorough audit of all cookies added to their website and implement a consent mechanism platform that ensures compliance with cookie laws.

What is the Cookie Law?

The cookie law is a set of rules governing the use of cookies on a website, namely it prohibits websites from storing cookies without the user’s consent or knowledge. Think of it as a sort of security guard or bouncer for your online activity - it protects users and gives them control over what personal details are tracked, or what cookies are allowed in.

The ePrivacy Directive, most commonly known as the “Cookie Law”, is an EU regulation that serves as a crucial safeguard for online privacy, ensuring electronic communications remain confidential. The law dictates that explicit consent must be obtained before any personal data is collected or stored. In short, it’s an important measure that allows users to take control of their online data and protect their privacy.

Under the current ePrivacy Directive websites must:

• Provide transparent and accurate information about the cookies used.
• Obtain consent before placing cookies on a user's device.
• Allow users to decline cookies.
• Make their cookie information pages and consent mechanisms as user-friendly as possible.

What About GDPR?

The General Data Protection Regulation (GDPR) also governs the use of cookies. Although GDPR has a wider scope than the ePrivacy Directive, both laws have similar clauses, particularly in the case of cookies. Like the cookie law, GDPR requires websites to obtain well-informed consent from users before placing cookies on their devices, and give them the choice to opt out or withdraw consent.

Cookie Law In The UK

After Brexit, the UK is no longer obligated to follow the EU Cookie Law or the GDPR unless any business based in the United Kingdom processes EU individuals’ personal data or monitors their behaviour.

Organisations that handle the personal data of UK individuals must comply with the UK-made version of the GDPR. This is essentially the same as the European GDPR so the requirements for cookie usage are still the same.

The UK also adopted the Privacy and Electronic Communications Regulations (PECR) which is based on the EU ePrivacy Directive, in addition to the Data Protection Act, to create a comprehensive data privacy and protection framework for the UK.

The PECR, like its EU counterpart, has rules about how websites can use cookies. The law advises websites to be clear and honest about the use of cookies and what information is collected. It requires websites to get prior consent before placing cookies on devices and the consent is only valid if it is freely given, informed, explicit, specific, and withdrawable.

Who Is Responsible?

The Cookie Law states a website owner is responsible for first-party cookie compliance. If you employ third-party services that use cookies to provide their functionality, both you and the provider are responsible for compliance.This means that agreement with a third-party likely requires you to get consent in a compliant way.

Do All Cookies Require Consent?

Strictly necessary cookies are exempt from Cookie Laws as they are 100% necessary for a website's operation.

Examples of cookies this may apply to:

• Session cookies that are necessary for security purposes e.g. online banking.

• Load-balancing cookies that ensure web pages load quickly and effectively.

• Cookies used to remember what items are added to a shopping basket in an e-commerce website.

Whilst you do not require explicit consent for the use of these cookies it is still common practice to include their details in privacy or cookie policy documentation.

Cookie Consent Management Tools

CookiePro and other cookie consent management platforms make navigating the complex world of compliance effortless by centralising all your needs in one place.

In addition to deeply scanning your website to identify and categorise the first and third-party cookies, these platforms allow you to create and deploy geotargeted banners, build preference centres and record compliance details with ease.

Furthermore, CookiePro’s a/b testing feature for cookie banners enables you to experiment with different designs, allowing you to determine which one generates the highest number of conversions, ultimately improving your digital marketing measurement.

Cookie Compliance Checklist

It’s important not to get bogged down in the nitty gritty details about the individual laws. Do the following to ensure you’re complying with the Cookie Laws:

1. Identify

You need to understand which cookies require explicit consent before moving forward. You can perform a free scan of your website using tools like CookiePro or CookieYes.

2. Update policy pages

Once you know what cookies are stored on your site, you should update your privacy policy or create an individual cookie policy page with all the necessary details. These pages should be easily accessible from every page of your site and written in plain language.

3. Install a Cookie Banner

Websites must prompt and inform users about the use of cookies before the point of data collection. This is most often done in the form of a cookie banner. You’re likely aware of these if you’ve browsed the internet anytime in the last few years. One of the biggest misconceptions surrounding the removal of third-party cookies is that there is no longer a need for a cookie banner. However, many privacy laws specify a need for “consent” or “opt-out” (based on region).

4. Obtain Consent

Your cookie banner also serves as a mechanism from which users can accept in or reject the use of cookies. Users must also be able to set their specific preferences (accept some but not others). Cookies must only be loaded when explicit consent is given e.g. a button click. Implied consent, i.e. scrolling the website without taking action or closing the banner is not an indication of opt-in consent. Finally, there should not be any pre-ticked options.

Cookie consent mechanisms should be clear and easy to use so that users can control their choices.

5. Allow users to withdraw consent

Users may change their minds and want to alter their cookie preferences. Websites must allow users to do this any time they wish. Once consent is withdrawn the website must immediately cease collecting or tracking any personal data using those cookies.

6. Record proof of consent

You must document and be able to demonstrate that users have given consent, in case of scrutiny by data protection authorities. Proof should include how and when the consent was obtained, and the information provided to the user at the time of collecting consent.

7. Obtain fresh consent when you add new cookies

You need to ask for fresh consent when you are setting non-essential cookies from a new third party. It’s also important to update your cookie/privacy policy pages with details of the new cookies.

8. Ask for consent at regular intervals

In addition to asking for consent when new cookies are added, users should be asked to refresh their consent choices at regular intervals.

The exact duration for this is not clear with the ePrivacy Directive stating websites should do this at least once a year while other nation specific laws are in favour of this being every 6 months.

Cookie consent mechanisms like CookiePro often default to a certain expiration period, such as 90 days or so. This may be the simplest option but it’s important to determine whether this interval is appropriate for your business - you don’t want to inconvenience or disrupt the experience of your users.

9. Stay Up To Date

The Cookie Law is constantly evolving. Do your bit by researching the latest regulations and update your website accordingly.

The Importance Of Compliance

In the United Kingdom, organisations that have violated the Data Protection Act 1998 or the Privacy and Electronic Communications Regulations (PECR) can be subject to substantial monetary penalties, with the maximum fine reaching up to £500,000, as issued by the Information Commissioner's Office (ICO).

The consequences can be even greater for organisations that must adhere to EU GDPR. For example, in 2021 Amazon got hit with a whopping €746 million fine following an investigation by the Luxembourg data protection authority, CNPD. The investigation concluded that Amazon failed to get “freely given” consent to store advertising cookies.

The Last Bite

We hope you’ve learned a thing or two about cookie compliance and how important it is in today’s privacy-focused world. Remember, always inform and obtain explicit consent before storing cookies, and don’t forget that consent management platforms like CookiePro can make the process a whole lot simpler.

Still craving more information about cookie compliance? Don’t hesitate to reach out to our team. We’ll be more than happy to help to make sure your website stays compliant and recommend ways to prepare for the end of third-party cookies.