22 September 2021

Cookies are back: How to make sure your cookie policy complies with the new ICO vision

Regulatory updates

why having cookies back in the news is a good thing!



The ICO (Information Commissioner’s Office) has put cookie banners back in the news and back onto the agenda for some firms. Whilst they have created uncertainty and many firms are lying in wait of some clearer guidance, some companies are using this news as an opportunity to get closer to their stakeholders.

why are cookies back in the news?

In order to comply with existing legislation, principally the GDPR and PECR, most companies drafted a cookie policy (if you haven’t, here is a FREE TEMPLATE to get started!) and set up a cookie banner. That’s the thing that pops up when someone enters your site and you ask if they are happy to accept cookies or not.

The banner is what has been in the news recently. As more and more companies have put banners on their sites, the measure has now stopped achieving what it was intended to do in the first place. They slow down our online journeys, so most users just click “accept” to get rid of them.

The ICO, addressing the G7, proposed a shakeup of cookie policy. The BBC reported that the ICO’s vision for the future will mean “web browsers or even device-wide settings will, ‘allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website’. That would ‘ensure people’s privacy preferences are respected’ while improving the experience.”

The changes proposed will basically mean there will not be as many requirements as imposed by the EU via GDPR. The UK will make its own GDPR mark – the first show of strength post-Brexit divorce! Essentially, the UK government is recognising that the bureaucracy that GDPR imposed is creating too many issues for businesses and they now want to show strength for trade and industry to change data privacy requirements to a more light-touch approach – particularly as the cookie policy pop ups are clearly not working at the moment.

what does this mean for businesses?

For businesses, this is difficult. Is it more change for the sake of change’s sake? Do businesses need to comply or not – who tells someone off for over compliance? For business, there will be a decision to be made which will need to consider the benefit of a nicer cookie policy v. the tech build and work required to get there.

Also, for those businesses who work across the EU and have EU users, they will need to comply with EU GDPR anyway…

In order to answer the question “is it better for business?” we need to go back to the beginning.

what is a cookie?

Even the least tech-savvy among us will know that a cookie is more than just something to be dunked in tea. Although talking about them does make us fancy one…

Anyway! A cookie is a “small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.” [ICO definition] 

In a nutshell, cookies are what makes it possible for websites to remember our activity on a website.

are cookies bad?

Online cookies, much like my favourite cookie (choc chip if you’re asking), aren’t inherently bad. But, they aren’t all good either! Whilst they can enhance our experience on the internet, they can also lead to our data being shared. As data can be personal in nature, the GDPR kicks in when this is the case and requires companies to get consent first.

Cookies are also governed by another piece of legislation – the PECR (Privacy and Electronic Communications Regulations). PECR governs all cookies and sets out a series of requirements for companies that use cookies (that’s pretty much all of us!).

what do we all need to do to comply?

The basic rule is that you must:

  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.

The ICO is the best place to go for general guidance on cookies. They have produced a useful checklist for companies that includes checks on how well you understand cookies. It also helps you audit your use of them and gets companies to think about consent and their documentation and review of cookies.

lawbox-design-cookie-policy-changes-2021-ico-guidance-cookies

so what do we do now?

What the ICO has done is highlight that in complying with the law the user has been forgotten. This is something that legal design strives to overcome, so on the face of it, this is a helpful step.

When GDPR came in, there was a lot of discussion around how it could help companies get closer to their customers. It highlighted that data is valuable and that companies should be transparent when they collect and use it. Where companies could demonstrate this to customers, the trust would increase. However, the cookie banner has ironically had the opposite effect. Few customers understand what is collected, for what purpose, and the implications. There is a lot of distrust and worry about what is happening with their data.

how can legal design help?

We have a four-stage process that we go through with our clients when they are facing a legal change or challenge:

lawbox-design-cookie-policy-changes-2021-legal-design-approach

Our approach starts with a taking wide-angle view. This approach helps get buy-in, (importantly) remembers the users, and works out whether implementation is needed in the first place.

Looking at the business case for the change, we answer two questions:

  1. Is it part of the business’ future plans and aligned with its forward planning?
  2. What’s in it for the business and its customers?

The businesses that we have been doing this exercise with, in the context of cookies, have been thinking about the impact on their users of their cookie banners. They have been scanning the industry to think about how they can lead best practice. They have been cognisant of the fact that customers are untrusting of what is happening with their data and are growing annoyed by banners that are less than transparent.

This discussion then leads us to think about stakeholders. Here we explore questions such as:

  1. Who has skin in the game?
  2. Who in the business needs to authorise this?
  3. Who is effected and who has to build tech to support the change?

Again, with cookie banners this has led us to consider a range of stakeholders internally (marketing, development, product design, sales) and externally. It has produced conversations around global teams with an eye on the bigger picture for business.

What this approach does is it helps answer the question “what do we need to do now?” not just from a legal perspective (in this case, technically “nothing”) but from the expanded perspective of “what is the best thing for our business to do now?”.

Where it is decided that there is something that needs to be implemented, this runs more smoothly because buy-in is already there and the relevant stakeholders have already been consulted.

Smart cookies…sorry, we mean smart companies are thinking about how they can change the dialogue with their customers. Rather than use technical cookie banners, which do little to explain to the customers the benefits of clicking accept, they are explaining what happens when they do and what the benefits to them are of doing it. This builds transparency and increases the likelihood of people saying yes to cookies.

lawbox-design-cookie-policy-changes-2021-whats-horizon-cookies

are cookie banners the only change on the horizon?

The other change on the horizon is more “data adequacy” partnerships. This is where data can be shared internationally. As a result of Brexit, the UK is now free to negotiation more of these outside of the EU (with whom we already have such a partnership).

let us help you stay ahead.

The proposed changes seem positive. However, they also mean that in-house teams are going to need to be alert to the changes or they might find themselves on the back foot. Again, in-house teams can get themselves ahead of the curve by starting to think about the business case and engaging stakeholders early on, so that if any implementation is needed, they already have the right thinking in place to move forward.

If you’d like to find out how we can help your business consider your cookie policy and how better to engage with stakeholders then please get in touch at onwards@lawboxdesign.com.

v
Interested in how we can help your business?
Give us a ring, we would love to hear from you.
Get in touch