13
May
2024

No one reads T&Cs – do I need to bother with a privacy or cookie policies?

Businesses must obtain user consent for non-essential cookies, including those used for marketing or advertising. There are strict requirements around the validity of consent, including that it must be freely given and can be withdrawn at any time.

Alena Makarevich | CORPORATE AND COMMERCIAL ASSOCIATE

Business owners who want to establish a new website for their retail business and want to minimise the cost of setting up a website may be tempted to overlook adding a cookie banner or including a privacy policy page. They may hold the belief that cookie banners are nothing more than irritating pop up, or no one reads a privacy policy. The focus may be on creating a great user experience instead.

However, in a series we’re calling “No One Reads T&Cs”, Corporate and Commerical Associate, Alena Makarevich here at Primas Law, warns against forgoing these important elements.

While cookie banners may seem like unnecessary nuisance, the law requires businesses to provide information about cookies used on their website and to give users a choice of what cookies they want to allow. At Primas, we advise businesses to consider their risks in light of a recent warning form the UK regulator (the Information Commissioner’s Office, or the “ICO”) to proactively make advertising cookies compliant.

The current UK legislation in relation to cookies and data protection has been around for some time, but many online businesses are still catching up. However, the importance of complying with data protection law cannot be underestimated, with the ICO having power to impose hefty fines on non-complying businesses. For example, in 2023 TikTok was fined £12.7 million for misusing children’s data.

Cookies are small text files that can be implanted on users’ devices when they visit a website.

Cookies track a user’s journey on the website, creating a unique profile which is valuable to businesses. This information can be used for purposes such as tracking user’s preferences, personalising online ads and providing website functionality and security.

Many businesses will seek to sell the information collected to third parties for marketing purposes, thereby commercializing the information they collect. In addition, businesses wishing to rent out their website space for behavioral advertising will likely be utilising third-party cookies.

Regardless of whether or not information collected includes personal data, businesses must be transparent about the use of both first-party and third-party cookies and must ensure that website users are provided with a clear, comprehensive and visible notice on the use of the cookies, for example via a banner, a pop-up, a message bar, header bar or similar. Cookie Policies and Privacy Policies can help businesses meet transparency requirements.

Businesses must obtain user consent for non-essential cookies, including those used for marketing or advertising. There are strict requirements around the validity of consent, including that it must be freely given (this means no pre-ticked boxes) and can be withdrawn at any time.

The ICO has recently warned organisations to proactively make advertising cookies compliant. This followed from the UK’s top 100 websites receiving notices in November 2023, warning businesses would face enforcement action for non-compliance. The ICO is not stopping there with plans to issue further notices. The regulator is developing an AI solution to help identify websites using non-compliant cookie banners and have advised all organisations to take action now.

The ICO Cookies Guidance provides more information about the use of cookies: Guidance on the use of cookies and similar technologies | ICO

The European Data Protection Board (“EDPB”) has recently launched a free website auditing tool, which can be used to help businesses assess website compliance: Guidance on the use of cookies and similar technologies | ICO. While EDPB guidelines and tools are no longer directly relevant to the UK regime, the website auditing tool may still be helpful to UK businesses, particularly those that offer goods or services in the EU. A word of warning as the UK data protection regime may further diverge from its EU cousin as a result of the Government proposals for reforms.

If you’re a business owner and want to learn more about this topic, check out our comprehensive guide to standard terms and conditions or contact our Corporate and Commerical Associate, Alena Makarevich directly via alena.makarevich@primaslaw.co.uk

Share this