Please note that none of the information in this blog constitutes legal advice.
We recommend referring to the Information Commissioner's Office advice on cookies.
To get straight to the point on cookies
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given. You cannot initiate cookies unless a user has opted-in to them.
There is an exception for cookies that are essential to provide an online service at someone’s request (e.g. using a log in function on a website).
How do I know the difference between my cookies?
- Necessary cookies
- Analytics cookies
- Marketing cookies
Double chocolate chip cookies
These cookies are essential for you to browse a website and use its features, such as accessing secure areas of the site. An example of a necessary cookie on the Church of England website is one that allows an application called Cloudflare to run. We use Cloudflare to help make our website more secure and ensure it is available even if our servers go down. This enables our website to run online and so is classed as a necessary cookie.
You do not need consent from the visitor of the website to run necessary cookies.
The most likely cookie this will be for you is Google Analytics. You can read a blog about getting Google Analytics set up on your website, if you haven’t already. You might be using a different analytics package to track how people are using your website, but because it’s not required to make the website work, it can't be classed as necessary.
You must have consent from the user of the website to run any form of analytics cookies.
Marketing cookies are less likely to be used on church websites, but they're useful to help customise content to people accessing your website through various channels. One marketing cookie is the Facebook Pixel. This effectively allows you to engage audiences of people who access your website through certain social media posts in order to advertise to them. For example, you may track (anonymously) who clicks through a post advertising a choir you’ve got set up at your church. For all those that clicked through to read more on your website, you may then want to advertise a post to them about other events and activities you think they may be interested in, such as when the choir next meets or if there’s a special event involving live music. Again, as it’s not required to make the website work it can't be classed as necessary.
You must have consent from the user of the website to run any form of marketing cookies.
How do I implement this on my website?
Depending on how you run your website, there are lots of different ways to gain consent for the cookies used on your site:
- If you use a common Content Management System (CMS) like WordPress or Drupal, you can download or purchase plugins or modules that will allow you to easily set this up in the CMS.
- If you code your website from scratch, you’re going to need to find a service online that gives you that code that you’ll then be able to amend in order to suit your needs (if you’re coding your website, you probably know how to do this already!).
- If you rely on a third-party to look after your website, you should get in touch with them and make sure they have implemented cookies as per GDPR guidelines.
This blog from the Information Commissioner’s Office (ICO) is a really good starting point in understanding how things should be running.
For the Church of England national websites, we use a service called Civic Cookie Control, which is a Drupal module we’ve installed on our website. There’s a free version and paid for versions, which allow you to customise the look and feel of the module.
We then break down each category of cookies with a short description, along with the ability to turn on Analytics or Marketing cookies individually. Remember that Necessary cookies do not need opt-in consent to run and so these are already running. A user can always disable these cookies from their browser, but this may result in the website not functioning correctly.
We've also provided an Accept Recommended Settings button that turns on all our cookies in a single click. This enables people to opt-in quickly and simply, while still complying with GDPR and PECR.
Cookies policy page
- The cookies that are active on your website
- What data you’re tracking
- What you’re using this information for
- Where their data is being sent.
Having a page like this enables you to go into further detail, without overloading the users without information on the initial pop-up when they first visit your website. You can even use a template service like cookiespolicytemplate.com to help you create a compliant page.
Can I have a checklist of tasks?
Of course, you can!
✅ Check which cookies your website is currently using
- Use a tool like Cookiebot. It will ask for your email address to send the report to, but will not retain it.
- Use this report to work out which cookies you need to tell users about and how each cookie should be categorised.
✅ Update your website to make it GDPR and PECR compliant
- If you use a popular CMS, you shouldn't have to pay for a plugin or module unless you want to heavily customise it. Still, free ones should do most of this. Here is one for WordPress and one for Drupal)
- If you build your own website using code, you probably know where to go to find resources to implement this. Here's one.
- If you pay a third-party to manage your website, instruct them to implement this functionality.
- Make a link that's accessible via every page, most likely in the footer, so that people can always find it.
One of the great features of A Church Near You is that all this has been developed and is constantly updated on your behalf by the national digital team. We work with our web supplier to ensure that the website stays up to date with GDPR, DPA 2018 and future legislation. With this taken care of, you can focus your time on inviting and welcoming people to church.
Web and Insights Manager