Cookies 101: What cultural organisations need to know

CookiesHow to
Written By Simon Jones

Cookies have been a hot topic in online privacy debates for many years. The Privacy and Electronic Communications Regulations brought us those cookie banners you see everywhere, and the arrival of the General Data Protection Regulation Act in 2018 introduced an additional level of requirements.

There still seems to be some confusion over what an organisation needs to do with regard to cookies. The simple version is that a website should ask people before loading any advertising or analytics tools that set cookies.

If your website doesn’t do that then you can run into various different headaches, which we’ll cover below.

First, let’s break down what cookies are, how their use is governed and what approach we recommend our clients take to ensure they’re compliant.

What are cookies?

Cookies are little text files that live in your web browser. For the most part, they’re very useful. Websites use cookies to remember whether you’ve logged in and what items you might have added to your cart.

Analytics tools use cookies to keep track of whether the same (anonymised) user visits multiple pages or comes back to the website sometime later, among other things.

They can also be misused, with some cookies following you around the web for the purposes of building up behaviour profiles. As these became more prevalent, so have calls for increased privacy online.

What is the law on cookie consent?

We should start off by saying that we’re not lawyers. Please don’t rely on this article for legal insight. However, we can share with you our understanding of commonly accepted best practices.

In the UK there are two main pieces of legislation to be aware of: PECR and GDPR.

The Privacy and Electronic Communications Regulations (PECR) gives people specific privacy rights in relation to electronic communications. This covers a wide range of uses and devices, including how websites use cookies, and was originally created way back in 2002. It’s because of PECR that cookie notifications started appearing on websites some time ago.

Sitting alongside PECR is the better-known and more recent General Data Protection Regulation (GDPR). This strengthened privacy rules and clarified what was required from website operators, especially with regard to cookie consent.

So, what counts as consent?

Under PECR, it was generally understood that website visitors only needed to be notified that cookies were being used. Continued use of that website was taken to be evidence of ‘consent’.

There was a grey area around whether you could start tracking people before they’d been notified, but there was no specific enforcement of this.

GDPR has a much higher standard of consent, requiring that it be “unambiguous and involve a clear affirmative action”. That means websites must:

  1. Ask people if they want to opt-in to cookies and tracking (and which types of tracking)

  2. Be clear about why cookies are being used and what they are for

  3. Only start tracking if they’ve opted in, and not before

  4. Give people the ability to change their mind at a later time

If your website is not fulfilling each of those points, then you are not compliant. Simple as that.

Here’s a real world example, taken from the British Museum’s website. Upon arrival a visitor is immediately presented with their cookie consent banner. Visitors are not able to view the website without first engaging with the banner::

If a website visitor clicks on the ‘manage cookies’ option, this window is displayed:

By default only the ‘necessary’ option is active here. Each of the cookie categories is succinctly explained, and visitors can adjust their settings accordingly. There’s also a link to finding out more, and it’s clear that visitors can change their mind at a later date.

How serious is it if we’re not cookie compliant?

The rules are pretty clear, but we’ve certainly come across some organisations that consider it too much of a hassle to become compliant.

Doing nothing is certainly an option, but it’s worth weighing up the consequences. There are three things to think about:

  1. The hassle of enforcement or litigation. You might look at the ICO’s list of enforcement actions and think that you won’t be a high priority for them. However, we have seen instances of individuals and privacy advocates threatening private litigation (in some cases offering to settle for a sum).

  2. Some of the advertising and analytics tools stipulate in their T&Cs that you will abide by the rules. That’s certainly now the case with Google Ads and Google Analytics.

  3. The many benefits of treating your audience with respect.

While it can be frustrating to have to spend time and resources on cookie consent management, remember that not only are you protecting your audience’s privacy but also your organisation’s reputation.

What are my options?

There are two main approaches:

  1. Install a cookie consent management tool that gives people granular control over the cookies they do and don't accept (this is the approach we recommend).

  2. Use a website plugin that blocks all analytics and advertising tags (typically everything contained in a Google Tag Manager container) until consent is given. These tend to be simpler to set up but are more limited and usually result in more data being lost.

There are a number of cookie management platforms to choose from that will help you meet your obligations. We’ve worked on successful implementations using Cookiebot, OneTrust and Cookie Control, which are all good places to begin your research.

Please do get in touch if you’d like to chat about your specific situation.

Are we going to lose all our data?

Giving users control over how cookies are used will inevitably reduce the volume of analytics data you receive.

Most of the clients for which we’ve implemented cookie consent managers were pleasantly surprised to only see a reduction of 10-20% of their data, although this will vary depending on the design of the cookie banner.

How this affects you in practical terms will depend on how you use your data. Analytics tools (such as Google Analytics) tend to work with aggregate numbers and long-term trends, so as long as you still have a significant amount of data flowing through you will likely be able to carry on as normal.

Where you may be more restricted is in dealing with specific users and actions, such as measuring conversions and building remarketing audiences.

Can I do any tracking without using cookies?

Yes, it is possible to collect information and data on your website without using cookies, though these methods inevitably tend to be more restrictive in what they offer.

This is a developing area which is likely to change considerably over time as new technologies and solutions emerge.

  • Google Analytics 4 comes with something called Consent Mode. When used, GA4 and Google Ads will take account of a user’s cookie preferences. If consent isn’t given, some data is still collected and is used for modelling attribution of conversions (i.e. guesstimating).

  • As Google continues to talk about phasing out third-party cookies and focusing on first-party data, you’ll hear about other cookieless solutions they have in the works like Google Topics.

What to do if you need some help

We have a follow-up article looking specifically at cookie consent for museums and theatres, which you should add to your reading list.

At One Further we’ve helped many arts and culture organisations with their cookie consent projects including the British Museum, National Portrait Gallery, Royal Academy of Arts, Royal Museums Greenwich, Tate, and the V&A. 

If this is something you’d like a hand with then please get in touch and let’s have a chat. Or to keep up to date with the latest developments, you can sign up to our mailing list below.

Simon Jones
Previous

Cookie consent in museums and theatres: 5 things we’ve learned
Next

Webinar: Who are your Missing Audiences?