What are cookies and what do I need to know about them?


Cookies are small text files that are downloaded to device when a user accesses a website. It allows a website to recognise that user’s device and store some information about the user’s preferences or past actions.

You might be thinking: “What on earth has that got to do with my church website?” If you track any analytics on your website, use code like Facebook Pixel or even embed YouTube videos, then you’ll be using cookies; whether you know about it or not! This blog looks at what you need to think about when building a church website that uses cookies.

Scanning for cookies.

Please note that none of the information in this blog constitutes legal advice.

We recommend referring to the Information Commissioner's Office advice on cookies.

Due to GDPR (General Data Protection Regulation) and the PECR (Privacy and Electronic Communications Regulations), there are some important and mandatory actions that relate to the use of cookies on websites.

To get straight to the point on cookies

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given. You cannot initiate cookies unless a user has opted-in to them.

There is an exception for cookies that are essential to provide an online service at someone’s request (e.g. using a log in function on a website).

How do I know the difference between my cookies?

Most of the time, a church website’s use of cookies is going to fall under one of the categories below:

  • Necessary cookies
  • Analytics cookies
  • Marketing cookies
  • Double chocolate chip cookies

Necessary cookies

These cookies are essential for you to browse a website and use its features, such as accessing secure areas of the site. An example of a necessary cookie on the Church of England website is one that allows an application called Cloudflare to run. We use Cloudflare to help make our website more secure and ensure it is available even if our servers go down. This enables our website to run online and so is classed as a necessary cookie.

You do not need consent from the visitor of the website to run necessary cookies.

Analytics cookies

The most likely cookie this will be for you is Google Analytics. You can read a blog about getting Google Analytics set up on your website, if you haven’t already. You might be using a different analytics package to track how people are using your website, but because it’s not required to make the website work, it can't be classed as necessary.

You must have consent from the user of the website to run any form of analytics cookies.

Marketing cookies

Marketing cookies are less likely to be used on church websites, but they're useful to help customise content to people accessing your website through various channels. One marketing cookie is the Facebook Pixel. This effectively allows you to engage audiences of people who access your website through certain social media posts in order to advertise to them. For example, you may track (anonymously) who clicks through a post advertising a choir you’ve got set up at your church. For all those that clicked through to read more on your website, you may then want to advertise a post to them about other events and activities you think they may be interested in, such as when the choir next meets or if there’s a special event involving live music. Again, as it’s not required to make the website work it can't be classed as necessary.

You must have consent from the user of the website to run any form of marketing cookies.

How do I implement this on my website?

Depending on how you run your website, there are lots of different ways to gain consent for the cookies used on your site:

  • If you use a common Content Management System (CMS) like WordPress or Drupal, you can download or purchase plugins or modules that will allow you to easily set this up in the CMS.
  • If you code your website from scratch, you’re going to need to find a service online that gives you that code that you’ll then be able to amend in order to suit your needs (if you’re coding your website, you probably know how to do this already!).
  • If you rely on a third-party to look after your website, you should get in touch with them and make sure they have implemented cookies as per GDPR guidelines.

This blog from the Information Commissioner’s Office (ICO) is a really good starting point in understanding how things should be running.

For the Church of England national websites, we use a service called Civic Cookie Control, which is a Drupal module we’ve installed on our website. There’s a free version and paid for versions, which allow you to customise the look and feel of the module.

We've set this up in a way that clearly explains how and why we use cookies at the top, followed a link to our cookies policy that goes into this in more detail. 

We then break down each category of cookies with a short description, along with the ability to turn on Analytics or Marketing cookies individually. Remember that Necessary cookies do not need opt-in consent to run and so these are already running. A user can always disable these cookies from their browser, but this may result in the website not functioning correctly.

We've also provided an Accept Recommended Settings button that turns on all our cookies in a single click. This enables people to opt-in quickly and simply, while still complying with GDPR and PECR. 

Cookies policy page

A single page dedicated to your cookies policy is a really helpful way to go into more detail about how you use cookies on your website, as well as exactly what those cookies are. This allows you to be completely transparent on what technologies you are using, allowing users to make informed decisions about their choices.

The main things you're going to want to include on a cookie policy page are:

  • The cookies that are active on your website
  • What data you’re tracking
  • What you’re using this information for
  • Where their data is being sent.

Having a page like this enables you to go into further detail, without overloading the users without information on the initial pop-up when they first visit your website. You can even use a template service like cookiespolicytemplate.com to help you create a compliant page. 

Can I have a checklist of tasks?

Of course, you can!

✅ Check which cookies your website is currently using

  • Use a tool like Cookiebot. It will ask for your email address to send the report to, but will not retain it.
  • Use this report to work out which cookies you need to tell users about and how each cookie should be categorised.

✅ Update your website to make it GDPR and PECR compliant

  • If you use a popular CMS, you shouldn't have to pay for a plugin or module unless you want to heavily customise it. Still, free ones should do most of this. Here is one for WordPress and one for Drupal)
  • If you build your own website using code, you probably know where to go to find resources to implement this. Here's one.
  • If you pay a third-party to manage your website, instruct them to implement this functionality.

✅ Write and publish your cookie policy page

  • Set up a dedicated page that lists out your use of cookies.
  • Make a link that's accessible via every page, most likely in the footer, so that people can always find it.

One of the great features of A Church Near You is that all this has been developed and is constantly updated on your behalf by the national digital team. We work with our web supplier to ensure that the website stays up to date with GDPR, DPA 2018 and future legislation. With this taken care of, you can focus your time on inviting and welcoming people to church.


Ben Hollebon
Web and Insights Manager

Keep up to date with all things digital and join our Labs Latest newsletter. 
Subscribe here