Privacy & cookies: best practice for compliance with GDPR and PECR

This post outlines current best practice for compliance with the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR).  It also offers suggested solutions for managing and future-proofing the privacy and consent preferences of your target visitors around the world.

Requirements, in a nutshell

Your website should have:

• A privacy policy compliant with GDPR / UK GDPR, that covers your use of personal data not only on your website but also in the rest of your business;
• A cookie policy that explicitly lists the cookies used by WordPress, any third-party plugins and other services integrated with your website;
• A system for asking website visitors for explicit consent to the user of cookies; for allowing them to change their preferences; and for recording their consent.

For best practice, your privacy and cookies statements should be separate, allowing each to be clearly signposted through a link from your website footer.

Your use of email when contacting past, current and potential clients should also conform with the GDPR & PECR requirements.

We’ve found that many of our clients took GDPR seriously when it was implemented in May 2018, and put a great deal of work into compliant privacy policies;  however the requirements of PECR for cookie consent were open to different interpretation at the time, and many organisations elected to do without a cookie consent system entirely or to use an ‘informational only’ cookie banner that told visitors cookies were in use, without asking for consent.  In addition, many cookie policies fail to explicitly list the cookies in use on the site.  Policies are also not reviewed and kept updated when any regulations may change, such as the transition from GDPR to UK GDPR after Brexit.

Future-proofing your policies

Privacy and consent regulations are not a new thing; the EU ePrivacy directive or ‘Cookie Law’, on which the PECR is based, came into being in 2002 and was responsible for the advent of the cookie banner. However, we have recently seen a lot of activity in the privacy and consent regulatory sphere, as people have become far more attached to their personal data and have got wise to how they can be tracked and targeted.

The introduction of the GDPR and the Data Protection Act (DPA) in May 2018 addressed a number of concerns about the rights of a data subject and raised the profile of the website privacy policy, amongst other things.GDPR didn’t just apply to websites operated by organisations in the EU;  it applied to any websites whose target visitors included EU residents.  This included a large share of American-owned websites;  some of them such as local newspaper sites simply decided to block visitors from the EU to this day, to avoid having to deal with GDPR compliance.  In the same way, the California Consumer Privacy Act (CCPA, 2018) and its replacement the California Privacy Rights Act (CPRA, 2023) apply to websites with sizeable numbers of Californian customers.  And then there’s Canada’s Consumer Privacy Protection Act (CPPA, 2021)…

And of course in January 2021 the UK officially left the EU and created its own UK GDPR; now all UK businesses providing services through a website to the EU will have to maintain both UK and EU compliant privacy and cookie policies.

Compliance will only become more challenging to manage; data privacy and the right to consent are global issues that are gaining momentum, yet they are handled in a myriad of ways. Data and consent legislation at a national (or US state) level is becoming commonplace and will affect any one doing business (providing services or making sales) locally.

Privacy policies

This is a brief overview of issues to consider when creating compliant privacy policies. More detail on the UK GDPR is available in the Guide to UK GDPR on the Information Commissioner’s Office website.

1. Your privacy policy should be a stand-alone, clearly labelled document, easily found on your website – usually via a link from your footer used on every page.
2. To be GDPR compliant, it must explicitly inform the user of any data your business, or any third party services your website uses, collects, how it will be used, where it will be held, how long it will be held for, how the user can opt-out of the data being collected and what the user’s rights are with regard to their data. 
   
3. International data transfer must also be considered and identified, for example, will the data collected by your website – or other means – be transferred to other locations outside of the UK?  You may use, for example, a mailing list service like Mailchimp based in the USA.
4. If you target customers or clients worldwide, then regional data protection legislation may need to be considered, e.g. California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA) and the federal Children’s Online Privacy Protection Act (COPPA).

Privacy law is evolving regularly;  periodic reviews or an auto-updating privacy policy service can ensure you stay compliant over time

Cookie policies

The PECR covers all aspects of electronic communications. The areas that are relevant to the management of your website are cookie consent, how that process is managed, and the privacy implications of website analytics, e.g. collecting website traffic and location data. Here are the headlines on how to make your cookie policy PECR compliant. More information on the PECR is available in the Guide to Privacy and Electronic Communications Regulations on the Information Commissioner’s Office website.

1. This must be a clearly signposted document, easily found on your website. For best practice, it should not be combined with your privacy policy.
2. It must explicitly state what cookies are used and why, with particular attention to third party cookies and how to remove them/switch them off.
3. Cookies can be divided into two broad groups ‘necessary’ (also sometimes referred to as ‘essential’, ‘functional’ and ‘technical’) and ‘unnecessary’. Necessary cookies, in short, make your website work. No consent is required for these cookies to be used. Everything else is deemed ‘unnecessary’ as the website would work without them and explicit consent is required before they can be used. These can then be subdivided into groups so as to make setting preferences easier on the user; ‘statistics’ and ‘marketing’ are two such common groups. The cookie policy should contain directions as to how the user can change their preferences with regard to these two groups of cookies, for example. A check box within the policy for this purpose is common.

Cookie consent bars

This is the pop-up box or bar that runs along the top or bottom of a website alerting the user to the fact the website uses cookies. It only appears the first time a user visits the site, or after a period of time has elapsed.

1. In the past, it was thought enough to merely inform visitors that cookies were being used, or to obtain consent for the general use of cookies on the website. But it is necessary to obtain explicit consent for the different types of cookie used on a website. As outlined above in the cookie policy best practice section, common cookie check box consent options given are: Necessary, Statistics, Marketing.
2. An ‘Accept all’ option is allowed as long as the option to select and save preferences is also available.
3. The cookie bar must also offer access to further information on each of the cookies used on the website. This is often done by a link to the cookie policy.

Other legal documentation

Doing ‘business’ incurs risk and where possible businesses generally try to limit that risk. It is important to remember that your website is an extension of your business and it can expose the business to risk. In addition to website specific legal documentation, there are other legal documents that it can be helpful, and prudent, to include on your website.

1. Terms of service: a document that limits liability by setting out the rules for using the website, as well as outlining how the business will conduct itself during the provision of any service given through the website.
2. Disclaimer: a statement that limits liabilities, which can be particularly useful for businesses recommending 3rd party products or featuring information and advice that might not be appropriate for all website visitors to follow.

Penalties for non-compliance

The penalties for non-compliance with GDPR / UK GDPR / PECR can be steep, even if risk of suffering them is low; it’s important to understand the potential consequences.

• GDPR: whichever is the higher £2million or 4% of annual worldwide turnover;
• PECR: up to £500,000 fine;
• And, of course, a loss of client trust if you are obviously non-compliant.

What steps can you take to be GDPR and PECR compliant?

You may already meet all the requirements above, with standalone compliant privacy and cookie policies, an explicit list of cookies used, and a cookie consent management system.  If you don’t, then you have various options open to you.

One is doing nothing – we don’t recommend this, but you may decide the risk of prosecution is small and the burden of compliance outweighs that risk.

Privacy & cookie policies

If you don’t already have compliant policies, then you may:

• Write your own.
• Use an online generator, of which there are many options; a popular option is Termageddon, or a basic one is Privacy Policy Generator.
• Buy a document template pack from our GDPR consultants Herbert & Ball LLP, via their GDPR Privacy Policy website.  These templates are very comprehensive and come with detailed notes to assist you in tailoring them for your business.
• Use a full privacy suite service which offers auto-updating policies and may include a cookie consent system too;  popular ones include Complianz,  Termly and Iubenda.  They require a little work in customisation but make the process as easy as possible.
• Or, if your needs are complex or irregular, you may wish to hire consultants to write your policies with/for you.  Herbert and Ball LLP have worked with some of our clients to create fully customised website documentation.

Cookie consent system

Again there are many cookie consent management systems compatible with WordPress websites.

• If you take the (non-compliant) ‘informational-only’ approach, where you inform visitors that you use cookies but don’t ask their consent, there are many free plugins to handle this that can be installed quickly.
• Out of the more advanced and polished systems which do offer fully compliant management of explicit consent, and granular controls, we have worked with Complianz, Truendo, Termageddon and others.  Our recommendation is Complianz which offers:
  • Complianz (free):  if your privacy policy is already up-to-date, you will review it manually, and you don’t need additional documents like a website terms of service, then the free version of Complianz will handle your user cookie consent for you.  It can be branded to suit your website look & feel.
  • Complianz (premium):  includes additional features such as auto-updating privacy and cookie policies (to conform with changes in legislation), terms of service, disclaimer, full consent statistics and a geodetection system so you only show appropriate cookie banners and policies to the right visitors, depending on their region.  Price is $45/yr.

Note: any cookie management system may need a little work integrating with other plugins and services on your website, to make sure they can be disabled depending on user choices.