GDPR: time to stop force-feeding cookies

If you have a website, it probably downloads cookies to people's devices, via their browser, when they visit. Cookies are text files containing small amounts of information. When a user returns to the website, the website can retrieve the cookie, with that information, meaning it can learn a little about the user – for example, the time of their last visit to that website.

As you probably know, there are laws governing the receipt and processing of people's information, and these laws will become stricter when the EU's General Data Protection Regulation (GDPR) comes into force on 25 May.

What does data protection law say about cookie use?

In brief:

1. If a cookie, together with other information you have, could allow you to profile a person, it's covered by the GDPR. Briefly, profiling means to use the data to evaluate certain aspects of the person, such as their economic situation, health or behaviour. This is significant as previous legislation (Data Protection Act 1998) was silent on the issue.
2. Like with other information, before setting that cookie you must display a privacy notice explaining what cookies you use and what you intend to do with the information.
3. Unless it's essential for a service requested from you by the website user, you must not set the cookie unless the user consents.
4. The law is only partly derived from the GDPR. It's also derived from the EU's older ePrivacy Directive. At the time of writing, this is being updated so it sits better with the GDPR, but currently we're working with the older version.

More on cookies

Some of the information gathered by cookies is essential to services requested by the website user. For example, cookies may allow your website to remember whether the user is logged in or what's in their shopping basket. You don't need their permission to place these types of cookies on their device, but you must tell them you're doing so.

Cookies are also used to:

• improve the performance of your website;
• analyse site usage, such as number of visitors, how many return and how they navigate around your site – this information could be very important to you, but it's not essential to the user;
• finally, advertisers use cookies, for example to assess visitors' interests and so tailor adverts.

The Information Commissioner's Office (ICO) considers only a small range of activities to be strictly necessary. The other 3 types of cookies require consent.

You may have heard the term 'third-party cookie'. These are set by websites other than the one knowingly visited – in particular by adverts that the operator has allowed to display on their site. The cookie will only be sent back to the advertiser – not to the website actually visited. Let's imagine that these cookies are not just for advertising, but also for services that are essential to that third party – the information, however, still wouldn't be essential to you. Accordingly, you must not set that cookie unless either you or the third party has got consent.

But how do you get consent?

Currently, websites generally give a brief pop-up notice saying they use cookies and that continuing to use the website indicates the user's acceptance of cookies. That notice often has a box for indicating consent, but provides no meaningful alternative – that's the first problem. In addition:

• many users don't use their browser settings proactively, and may not even know how to change them;
• consent should be specific to the specific processing - changing browser settings will change your acceptance of all cookies of that type (e.g. third-party cookies); but perhaps you want your favourite cycling shop to know your preferences, but not any random advertiser.

The ICO's opinion is that no existing browsers offer adequate consent options. So if your website takes this approach, it's sensible to change it.

In our opinion, the best way of getting consent is to explain your use of cookies and give specific options on your website. For example, before setting any cookies, your website could display a notice listing the cookies it uses, explain what they're for, and ask the user which of the non-essential cookies they're happy to store on their browser.

How we can help

Before the GDPR comes into force on 25 May, our Privacy and cookie policy for a website will be updated.

If you want more information on other parts of the GDPR, you may wish to read these articles in our previous bulletins:

• October 2017: Data protection law overhaul
• January 2018: GDPR: time to update your privacy notices
• February 2018: GDPR: how to demonstrate accountability

Don't cap zero-hours workers' holiday pay at 12.07%

All workers have a right to 5.6 weeks of paid annual leave each year. You must grant them the leave, and pay them as you normally would. In general, you must not pay instead of granting them leave – that would dis-encourage holiday.

But how do you do this for zero hours workers?

They're not guaranteed work from you, so you might not have an opportunity to grant them their leave in the normal fashion. And even if they are guaranteed work, it's not obvious how much to pay for that holiday.

A common practice has been to add 12.07% of the time spent on the job, or 7.24 minutes each hour, calling it annual leave and paying accordingly. That's because 5.6 weeks is 12.07% of the standard working year of 46.4 weeks (52 minus 5.6). Guidance from both the Advisory, Conciliation and Arbitration Service (Acas) and the Government supports that approach. In a recent case, however, the Employment Appeal Tribunal (EAT) ruled that employers can't always use that figure.

This case involved a teacher who worked mostly during school term-time, which was between 32 and 35 weeks. She was required to take her holiday during school holidays, and she was paid for it at the end of each term at the rate of 12.07% of the hours worked during that term.

The problem with that approach is that the legislation says that for a worker without standard hours, a week's pay is the average of the previous 12 weeks' pay (omitting any week with no pay). Because the teacher only worked during term time, the 12-week average was actually 17.5% of her annualised hours.

This does not directly affect the practice of rolling up holiday entitlement. What it means, however, is that holiday pay should be calculated by reference to an actual average of the previous 12 weeks (discounting weeks with no pay) if possible. In this teacher's example, using 12.07% didn't produce the right result.

However, this method of rolling up holiday entitlement is contentious and should only be used where it would not be practical to grant actual leave because their working hours are too variable. In particular, if they're working on short assignments granting leave doesn't make sense. For the same reason, calculating the average pay for the past 12 weeks is also likely to be impractical. Accordingly, using the 12.07% method is probably acceptable.

What this means for you

If possible, you should always grant actual holiday at the rate of 5.6 weeks per year. If it's not practical to do that, it's acceptable to 'roll up' holiday pay by designating 12.07% of the time worked as holiday. If you do that, if possible you should calculate holiday pay by reference to the average pay in the previous 12 weeks. If, however, that's not possible it's ok to calculate holiday pay as 12.07% of pay.

How we can help

We have a new Zero hours worker agreement, in which holiday and holiday pay is addressed both in the contract and in the guidance notes.

Make sure you have a robust anti-bribery policy

Imagine you discover that your company's managing director had made a series of bribes. You investigate and dismiss that director. You also cooperate with the police and voluntarily provide confidential information relating to your investigation.

Would the company still be at risk of prosecution?

Yes. Even if your business is small. Section 7 of the Bribery Act 2010 says that a commercial organisation is guilty of an offence if someone associated with it bribes another person. It is a defence if you have adequate procedures in place to prevent it.

This offence, which was new with the 2010 legislation, was tested in court for the first time recently. The company was convicted, and the ruling shows that the procedures would have to be quite robust to provide adequate protection against conviction.

The following points are worth noting:

1. It was a small business operating out of one open-plan office – it didn't need detailed compliance controls.
2. The prosecution accepted that not paying bribes was common sense – staff didn't need a detailed policy saying that, especially as they had policies requiring ethical, open and honest conduct.
3. The company also had financial controls with a system of checks and balances for settling invoices, and the largest bribe was stopped before it was paid.
4. However, the jury thought that these financial controls were insufficient to meet the adequate procedures defence.
5. In particular, the prosecution was concerned that there was little record of the company's efforts to indoctrinate a compliance culture.
6. Cooperation with authorities, though commendable, was not directly relevant: action after an event can't prevent that event from occurring.

What this means for you

Obviously, you shouldn't bribe. But in addition, however small your business is, you should be proactive in indoctrinating an anti-bribery stance and vigilant in looking out for bribery by staff.

It's crucial that you retain records of compliance-related discussions and activities within the business. This particularly applies to small businesses, where discussions may all be informal and face-to-face – you may wish to follow up discussions on compliance issues with a written record or at least make a contemporaneous note that you can produce if needed.

How we can help

You may wish to begin with the anti-bribery section of our Employee handbook .