Is Your Website Cookie Banner GDPR Compliant?

What you need to know about the latest guidance from the GDPR regarding cookie banners.

Since its introduction in 2018, the GDPR has forever adapted to cope with increased digital advancement and data tracking capabilities. In 2023, a very important update was introduced by a senior UK data regulator, the Information Commissioners Office (ICO), that many businesses are either unaware of or unclear about.

Stephen Bonner, a deputy commissioner at the ICO made it very clear that many organisations risk enforcement action. Bonner warned that “If you don’t have ‘reject all’ on your top-level [cookie banner], you are breaking the law,”.

He also said that the ICO would “absolutely issue fines” for businesses that don’t update their cookie banners which could also result in severe search engine ranking penalties.

It is a legal requirement in the UK for all websites using any form of cookies to have a cookie banner. It’s best practice to set this up as an explicit consent banner, which means you may only load essential cookies for a first-time visitor until they have given explicit consent you can do otherwise.

The concern from data regulators has come about because most websites have adopted a cookie banner that features an ‘ACCEPT ALL’ button, but to reject all non-essential cookies, numerous steps are required. This may lead to users clicking ‘Accept’ to dismiss the banner without full knowledge of what they’ve agreed to.

The latest GDPR guidance declares that the ‘REJECT ALL’ button is equal in accessibility to the accept button. Hitting the reject button will then block all non-essential cookies, such as analytical tracking cookies.

What Are Internet Cookies?

Websites require a variety of cookies, which are text files containing small pieces of data. They can usually be broken down into categories such as:

• Session Cookies – These are usually essential to how the website functions and are only present for as long as the browsing session lasts, such as products added to your basket.
• Persistent Cookies – Remember information about you from previous sessions (up to 6 months is the maximum by law); an example of this would be login information.
• Third-Party Cookies – Gather data about your browsing habits and allow advertisers to track your digital footprint to enable more targeted ads wherever you visit online. These are non-essential cookies.
• First-Party Cookies – Created by the website you’re browsing to enhance the user experience. It is usually essential to ensure a smooth and personalised user journey.

There are other lesser-known types of cookies, but the important distinction is whether or not a user can reject them or not.

Both essential and non-essential cookies can alter the browsing experience while online. Essential cookies are necessary for how a website functions, and providing they don’t store data beyond the legal time limit, websites won’t be penalised.

Best Practice Website Cookie Banner

• Clear calls to action – Give users the option to accept or reject cookies, edit preferences, and view the website’s cookie policy.
• Recording consent – Your backend should capture a record of cookie consent.
• Inform users – You should briefly describe why cookies are being used and how this serves the user.
• Third Parties – Alert the visitor if the site shares data with third parties.
• Language – Avoid overly complex language that can confuse users.
• Appearance – Don’t create elaborate designs, keep it on brand but simple.
• Legal checks – Ensure a legal professional has reviewed your website cookie policy to ensure compliance. Your cookie policy should be accessible through your cookie banner.

If you’d like advice or support regarding your website cookie banner then you can contact our team who would be happy to give you some tips!