In this series of articles about GDPR requirements for websites, we look at cookie notices and policies. How do you identify cookies on a website? There are many cookie alerts available but just notifying users that cookies are used on the site, and asking them to accept this, is no longer enough. It is now necessary to inform users that cookies are used, what they are, what they’re used for, and how long they will last. Users should also be given to option to turn off and turn on cookies as they see fit.
Types of cookies
When users land on the site they should be informed of which types of cookies are in use and be invited to find out more about their detail. Here are some main ones.
Session cookies are cookies from the website itself. Often these are ‘essential’ cookies and are required in order for the visitor to use the site properly, e.g. a cookie would be required to allow a user to enter information in a multi-page application form and the website to ‘remember’ already entered information and enable the user to go forward and backward between pages. These usually expire after the ‘session’.
First party cookies are used by functionality on the website for things like website usage stats, page views, number of users, ecommerce carts, etc.
Third party cookies are cookies placed in the user’s browser from a different domain. For example, if you embed a video from YouTube into your site, or you have a social media feed, these external sites could place one of their cookies in the user’s browser.
Tracking/Analytics cookies are used usually for gathering website visitor statistics in external software like Google Analytics. These track behaviour like page views, a user’s route through the site, time on site, exit page, etc. While they track behaviour, they do not collect identifiable personal information.
Secure cookies are generated by SSL certificates to ensure safe input and encryption of user data into forms
How do you identify cookies on a website?
The cookie notice functionality we offer for clients, ‘Cookie Control’, is the same as the one used on the ICO website and is provided by Civic. This notice informs users that cookies are used on the site, enables them to switch on or off the different types of cookies outlined above, and provides a link to the privacy and cookie policies. Non-essential cookies can be set to be disabled by default as soon as users land on the site and they can turn them on if they wish, or they can choose to ‘accept recommended cookies’. Users are able to reactivate the cookie notice and change their options at any time during their site visit.
Cookie Policies should be reviewed and updated every year or so, as should a website cookie audit. With sites that are used a lot by admin, or that have added functionality, sometimes new cookies can creep in which need to be documented in an updated policy.
If you need any help and advice about cookies and GDPR, or are wondering, ‘How do you identify cookies on a website?’, please get in touch and we can help.