Cookies – maybe not so sweet?


If you have a company website, you probably use cookies. Cookies are no big secret – who hasn’t seen those messages on nearly every website you visit?

There are different types of cookies; some are very useful tools for a website, they allow certain things to work well, and can improve the customer’s experience and performance of the site.

The potential problems begin when you use the types of cookies that track and monitor user behaviour and is made worse when you share that data with other companies or individuals.

Data privacy laws (GDPR and PECR) in the UK and EU demand that you list all personal data that you hold and pass to others along with the reasons why and on what legal basis you do so. The same laws state that you should give people access to that data and certain rights to delete that data.

Smaller companies either use customisable “off the shelf” website platforms or WordPress. Most small companies use an independent web developer or a marketing agency that has web developers available. However if you are a website DIYer this still applies.

Off the shelf websites normally depend on cookies to offer functionalities such as checkout baskets or user logins. WordPress is a bit more “build your own” in as much that functionality is added, normally in the form of “plugins” – small extra pieces of software – much like apps on a smartphone. These are produced by software companies or individuals and made available to web developers, some free and some on a fee paying basis.

A great number of these plugin providers are based in countries where the privacy laws of the UK and EU are not fully understood or adhered to. Web developers and marketing agencies rightly take great pride in producing functional and visually impactful websites. However many are not expert in privacy laws and may use software or plugins that share data with its producer or other entities, either directly or via cookies.

The Information Commissioner in the UK has issued guidance on cookies and the takeaways are that “strictly functional cookies” do not need consent, as long as they are also not fulfilling any marketing or other use. However for all other cookies you must inform the user or customer and if you are relying on consent give them the chance to make their own informed decision. Unfortunately the PECR states that consent is the only legal basis for collecting information (even anonymous information gathering cookies) – unless you are dealing with existing customers. But you still need to give them the same information and allow them to opt out. Of particular note here is that this should happen before any data is passed anywhere.

By far the easiest way to help deal with this is to use an automated cookie notice that offers options for people to be informed and be in control, therefore offering genuine choice. It is no longer good enough (or legal) to tell people that they can switch cookies off in their browser settings, and this is often not a good outcome as it will probably stop your website working properly.

Examine what cookies are on your website. What do they do, and do they bring any value to your company? If they do not help you then get rid of them. They are a liability at no benefit to you.

Discuss this with your web developer. The work they produce often includes features such as Google trackers as standard. If you do not wish to use google analytics or other products, then get rid of them. Other plugin or feature vendors often have GDPR compliancy options not switched on by default.  Ask what data is passed where from the plugins or features of your website. The flow of data your website is creating is your responsibility, not the web developer’s.

Practical steps:

  1. Audit your website for cookies and other data transfers. Ask yourself what data is going where and why. Most of the automatic cookie management software available has the ability to do an audit without installing any software.
  2. Where you are passing data (including cookies) that contain personally identifiable data you should treat these entities as Data Processors and comply with all of the relevant GDPR rules.
  3. Consider using an automated cookie audit/policy/control/consent tool. There are many on the market now, most are free for the smaller entity. We use Cookiebot.  I like this one as it creates the policy for a website and updates itself monthly.
  4. Make sure any plugins you have installed have their GDPR compliancy options switched on.
  5. Make sure your website and plugins have the latest versions installed as these often have a bearing on privacy and security.

Cookies are an area that seems to blindside the SME sector, but there really is no excuse to not be compliant with the tools freely available today.

If you would like to know more or have any particular concerns please contact me here or email me at