Sadly, not this sort of cookie…cookie policies
Do you know what cookies are, other than chocolate chip? Do you know if your website designer has added them to your website? Do you know what sort of cookies they are?
A cookie is a small file of letters and numbers that is downloaded on to a computer when someone visits a website. Cookies are used by many websites and can do a number of things, eg remembering preferences, recording the contents of an online shopping basket, and counting the number of people looking at a website. However, it is often the case that third party cookies are also placed on a computer, tablet or phone. These are not always wanted and can, not only track a user’s movement around the website, but can also track their movement across the internet and obtain sufficient personal information to form a profile of them.
The rules on cookies are covered by the Privacy and Electronic Communications Regulations 2003 (PECR), so this is not a new law. However, PECR are to be updated in early 2019 with the EPrivacy Regulation, which builds on GDPR.
This consent must be consistent with the requirements of consent under GDPR, which means that consent must be freely given, informed, specific, unambiguous, granular and must be given by a clear affirmative action.
As an organisation, it is your responsibility to ensure that you can demonstrate that you have consent (accountability principle) before you process personal information and that the consent meets the criteria set out in GDPR. It is not the responsibility of the website designer, even though they may have set the cookies. It is not good enough to simply have a banner asking for a tick to accept all cookies, as they all have different purposes and this needs to be explained within your Cookie Notice.
Under the EPrivacy Regulation, it is likely that consent will not be required for certain cookies, such as analytical cookies or cookies which make the running of a website better. However, cookies that promote any form of marketing or can be used for profiling will continue to need consent and the sanctions for failing to comply will be the equivalent of those in GDPR.