Schedule a demo
back button

Back

Are your websites and apps compliant? A look at UK cookie consent regulation

July 1, 2020byYannig Roth

In July 2019, the Information Commissioner’s Office (ICO) published new guidance on the use of cookies to provide more clarity and certainty about how you can use cookies in your online service. As the Information Commissioner said, “the public has woken up to the potential of their personal data”, adding that “the ICO has covered an enormous amount of ground over the last year – from the introduction of a new data protection law, to our calls to change the freedom of information law, from record-setting fines to a record number of people raising data protection concerns.” 

Indeed, a lot has changed in a year. The greatest impulse for this change was the General Data Protection Regulation (GDPR) coming into force. It leads to greater awareness concerning privacy, with the firm belief that being fairer, more transparent and accountable to your users will increase their trust and confidence in you – for the benefit of all. So what are the ICO recommendations, and how to make sure you are compliant?

The role of a CMP such as Didomi is to ensure compliance at all times, and to provide you with customised support in order to retain your users and strengthen your relationship with them. Here’s what you need to know about cookies, legal recommendations, and the role of CMPs.

What are cookies, why and when is consent needed?

A cookie is a text file in which you can store information such as IDs and passwords, navigation history, or card numbers for payments. There are two types of cookies, first-party cookies set by the host domain, and third-party cookies set by other domains and partners. And there are three main categories of cookies: analytics, content personalisation, and targeted ads.

The ICO stresses that you must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent before collecting information – cookies or other tracking technologies such as pixel trackers, fingerprints, SDKs, Local Storage Objects, “Like” buttons and other social sharing tools. In fact, consent must be collected for any storage of information on a user’s device or equipment. The only exceptions are communication cookies and strictly necessary cookies. 

So, what is ‘consent’ you may ask? It is the Privacy and Electronic Communications Regulations (PECR) that sets the cookie laws, but many of its key concepts such as the standard of consent come from the GDPR. And according to the GDPR, “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. In addition, “it shall be as easy to withdraw as to give consent” (Art.7.3). 

In the light of these recommendations, browsers are becoming increasingly restrictive. Between July 2019 and January 2020, Firefox announced the Enhanced Tracking Protection by default, Apple announced the ITP2.2 Safari version, and Chrome announced cookie and tracking technologies restrictions, promising no more third-party cookies in Chrome by 2022. In this context, it is imperative for all programmatic advertisers to update and comply. 

These are the main ICO guidelines for compliance

The updated ICO guidance is based on the basic information rights principles of fairness, transparency and accountability. Here are the main guidelines:

  • Explicit consent: it is no longer possible to rely on implied consent, you need a clear and specific statement of consent.
  • Positive opt-in for consent: don’t use pre-ticked boxes or any other method of default consent.
  • Clear choice of settings: be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough. Banners must allow users to reject non-necessary cookies and similar technologies, to change their cookie preferences at any time, and to withdraw consent as easily as they gave it. 
  • Keep consent requests separate from other terms and conditions.
  • Avoid making consent to processing a precondition of a service.
  • Keep evidence of consent: who, when, how, and what you told people.
  • Name any third-party controllers who will rely on the consent.
  • Transparency obligations: users must be provided with clear and comprehensive information about the use of cookies.
  • Formal enforcement actions may be taken against non-compliant companies

Will the guidelines still be the same after Brexit? 

Now that the UK has a Withdrawal Agreement with the EU, there will be a transition period until the end of 2020 to allow time to negotiate. During the transition period the GDPR will continue to apply in the UK and you won’t need to take any immediate action. 

As the GDPR is an EU Regulation, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law, and the government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR. Besides, the EU version of the GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. 

You can visit the ICO website page dedicated to the topic of data protection and Brexit, and we’ll keep you posted as soon as we know more. 

How can Didomi help you become cookie-compliant?

Publishers may worry that compliance will lead to a loss of revenue, and both publishers and brands will be fearful of a drastic drop in consent. Indeed, there will probably be repercussions on consent rates (small or considerable, depending on your partners and the measures you put in place). All parties will be impacted, and everyone must prepare for a certain amount of change.

But, don’t worry: this is why Didomi is here to help you. Through the use of specific tools such as A/B testing and bespoke CMPs, Didomi will make sure you know exactly what’s happening on your website, allowing you to optimise on consent collection and build trust with your consumers. 

A/B testing, or finding the best “look and feel” for your banner to connect with your customers will be essential. But there will be one fundamental change that is positive, and that is that giving more choice, control and freedom to users is a great opportunity for you to build brand confidence. By building better communication channels, you build trust, and that may be used to your advantage, benefiting all parties. 

The best way to be compliant and make the most out of GDPR and PECR regulations, is to implement a CMP which is both compliant and performant, such as Didomi’s. It will provide you with the right legal and technological tools, and become the first point of contact with your customers. 

At Didomi, we begin by performing an audit of your website, including an analysis of application and website compliance, partner detection, identification of the cookies they drop and their lifespan. We will give you an accurate picture of what is happening on your website or application, and often our customers are surprised at what they discover (especially because of all the activity around third-party cookies).

Didomi’s Console allows you to get a “Compliance Score” based on your website’s cookie usage

The next step is to customise your CMP by choosing the right message and consent notice format to ensure that the UI/UX are aligned with your brand image (colours, font, language, etc.). Then the CMP is deployed and integrated with existing solutions within your tech stack (integration of the SDK into mobile web & apps, integration with your tag management solutions, blocking of ad-hoc cookies and specific tags, except for TMS and TCF). 

Finally, we follow-up and optimise by performing regular audits to monitor cookie lifetime and new partners, closely following consent rates and performing A/B tests to improve opt-in rates. 

Consent is now becoming a key indicator for companies. With a CMP, consent becomes an indication of user confidence in your business, which in turn leads to revenue. So put all the odds in your favour and choose Didomi!

Related articles

July 1, 2020byYannig Roth

Are your websites and apps compliant? A look at Irish cookie consent regulation

Last April, the Irish Data Protection Commission (DPC) published updated guidance on cookies and other tracking technologies. The “Guidance” was issued with a report based on a cookie audit of 38 companies, and the results of the audit were not good. The survey found that 35 of the 38 companies were not in compliance on…

Read more

CMP

compliance

Consent

Cookies

GDPR

July 20, 2020byYannig Roth

What are the requirements of a TCF v2 compliant consent notice?

On a website or in a mobile app, the notice is the first and main consent UI that users interact with. That’s where most users get informed on purposes and vendors that consent is collected for, and how users will make a choice to give or deny consent. As a result, the content of a consent…

Read more

CMP

Consent

GDPR

TCF v2

November 22, 2018byJawad Stouli

What CMPs can learn from the French data protection authority

On 30 October 2018, the French Data Protection Authority (the “CNIL”) issued a warning against a small company called Vectaury in relation to how this Ad Tech actor was collecting consent for geolocation-based advertising campaigns. On 8 November 2018, it decided to make this decision public notably because it is necessary to “raise awareness among…

Read more

CMP

CNIL

Consent

Cookies

France

GDPR

IAB

Sanction

Vectaury

Warning

April 16, 2020byRomain Gauthier

My take on the CNIL’s new guidelines on cookies: 4 key ideas to remember

The new CNIL (France’s privacy watchdog) guidelines released in the summer of 2019 have turned the advertising industry upside down and are prompting us to rethink how we monetize information and innovate in programmatic. On June 28th, the CNIL (which means National Commission for Information Technology and Civil Liberties) published its action plan on advertising targeting, one…

Read more

CMP

Consent

Cookies

May 8, 2019byRomain Gauthier

Chrome without cookies?

Google announced at Google I/O conference yesterday that it will now enforce dramatic restrictions on cookies within Chrome. What does this mean? This is good news for Chrome users who will now get more control over their cookies in their favourite browser, which was historically hard. Those who have ever read a cookie policy know…

Read more

chrome

Cookies

Google