The ICO recently wrote a blog post on what good practice is surrounding cookies. One thing they explain several times in this post is that they are not opposed to innovation — but you should not compromise privacy in the name of innovation.
They’re right, of course, but the ICO may have a reputation of being stuffy privacy nerds who curtail innovation with their incessant rules and guidelines. Put your perceptions aside because it’s actually very easy to start something cool and innovative while also managing cookie consent correctly. Just stick to these four things and you’ll be fine.
Getting explicit consent means the user has to perform some kind of non-passive action indicating a clear yes or no. Quickly, identify the non-passive action in this list:
I’m sure you picked number 2. Have a taco 🌮. If you didn’t: congratulations, you just learned something. You simply cannot serve the user cookies without asking first. The flow of consensual cookie-setting goes like this:
To clarify what non-essential cookies are: we could argue about this until we all pass out, but the guidelines are quite clear now. The ICO describe essential cookies as ones that “are essential to providing the service requested by the user”. Just like when you need to set a cookie to remember a user’s preferences when they login.
Using that as a benchmark is helpful; anything sitting outside of providing the service is non-essential. For example passively collecting analytics is not essential for the user to navigate your site without it breaking. The ICO managed to explain this very plainly:
[Analytics] are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent. Ali Shah, head of technology policy at the ICO
So to conclude, you must get consent from the user before you set any non-essential cookies. And yes, Google Analytics is non-essential.
This bit is essentially the underlying principle of this article: being transparent with your users, and therefore giving them control over cookies. Users will never have control if they don’t understand what they are consenting/not consenting to. You need to lay out for them what your cookies are for, so that they can give informed consent.
That means you really can’t just say ‘we need to gather statistics to improve your experience’. Let’s be honest: the average user simply does not care. Site stats improve experience in the long run, but the fact is, in the very moment of asking for consent no one’s experience is improved in any way. So don’t be vague, just explain what your cookies do.
Informing users about cookies is not a sell; just be honest and straightforward. You want to be able to gather analytics to better understand how people use your product, you want to save live chat history so that the conversation is not lost. These are perfectly legitimate reasons to set cookies — be transparent about these reasons and get informed consent.
This one’s a head-scratcher. You can’t set your cookies before consent, so surely hide the content and sort all the cookie consent stuff out first? Well, not really…
Asking for consent for everything at once does not adhere to the GDPR standard. It’s not reasonable to expect users to decide on what cookies they are okay with all in one go — they will likely just say yes to everything. And that is not in the spirit of informed consent.
Asking for consent as and when you need it is actually better — if someone is using feature A of your service, why on earth would you need to set a cookie for feature B? You don’t, so just ask only when they request feature B. This may sound like a fiddly headache, but there are solutions these problems… please remember where you are reading this 😉
In case you aren’t aware, legitimate interests are one of the six lawful basis of processing data. This entire article is about how to correctly get consent from your users about setting cookies. With legitimate interests, you do not need explicit consent.
🚨 ALERT 🚨 please do not be excited by that prospect — replace your excitement with sensible levels of caution. Legitimate interests are very vague and flexible. Do not expect that you can rely on them. As I outlined in this other article, you’ll just find yourself in a rubbish grey area.
✅ A great example of legitimate interests being used is credit card payments: a user enters their details to make a payment, and in no part of this process does the vendor ask ‘is it okay if we use your card details to take the payment?’ This question serves no purpose because the user reasonably expects you to use that data to take money from them — that’s the entire point of the transaction. No consent necessary because, legitimate interests.
❌ A terrible (and… unlawful) application of legitimate interests is setting marketing and advertising cookies because you have a ‘legitimate interest’ to stay in business. Yes you do, but that does not help the user use your website or service — which, as we’ve covered, means those cookies fall into the very large non-essential category.
Handling cookie consent should be (and isn’t) that hard. If you’ve just started building something new and cool, you probably have no interest in following the crowd — so why do it here? Don’t just copy everyone else (because most people get it wrong). Follow these simple steps, build your products, and be transparent with your users.