1. Purpose
This procedure sets out how [Company/Website Name] manages cookies and similar technologies on its website in compliance with the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive. It ensures that users are informed about cookie usage and have control over their personal data.
2. Scope
This procedure applies to:
-
All cookies and similar technologies (e.g., web beacons, pixels, local storage) used on www.northcotestudio.co.uk
-
All visitors and users of the website, regardless of location.
-
All employees or contractors responsible for website development, maintenance, and data protection compliance.
3. Legal Basis
Cookies that are not strictly necessary for the operation of the website must be used only after the user has:
-
Been provided with clear and comprehensive information about the cookies, and
-
Given explicit, informed consent via a cookie consent banner or management tool.
The use of cookies is based on:
-
Article 6(1)(a) GDPR – Consent (for non-essential cookies)
-
Article 6(1)(f) GDPR – Legitimate interest (for essential cookies only)
4. Cookie Categories
Cookies used on the website are categorised as follows:
| Category | Description | Consent Required |
|---|---|---|
| Strictly Necessary | Essential for core site functionality (e.g., session management, security). | No |
| Performance/Analytics | Help analyse how visitors use the site to improve functionality. | Yes |
| Functional | Enable enhanced functionality and personalisation. | Yes |
| Targeting/Advertising | Used to deliver relevant advertising and track ad performance. | Yes |
| Social Media | Enable social media sharing or login integration. | Yes |
5. Cookie Consent Mechanism
-
A cookie banner is displayed when a user first visits the site.
-
The banner must:
-
Clearly explain what cookies are and why they are used.
-
Provide a link to the full Cookie Policy.
-
Allow the user to accept all, reject all, or customise settings.
-
Record and store consent choices.
-
-
The user must be able to:
-
Withdraw or modify consent at any time through a “Cookie Settings” link or button.
-
Access the website without any non-essential cookies until consent is given.
-
6. Cookie Consent Records
-
Consent records must include the date, time, and consent preferences of each user.
-
Consent logs are retained securely for at least 12 months or as required by data protection law.
-
The consent mechanism must be re-displayed at least every 12 months or when cookie usage changes.
7. Cookie Inventory and Review
-
Maintain a Cookie Register listing all cookies used on the website, including:
-
Cookie name
-
Provider
-
Purpose
-
Category
-
Expiry
-
Consent status
-
-
Review the cookie inventory quarterly or whenever new tools or services are implemented.
-
Update the Cookie Policy and consent banner accordingly.
8. Third-Party Cookies
-
Only reputable third parties should be used for analytics or advertising.
-
Data sharing agreements and Data Processing Agreements (DPAs) must be in place.
-
The Cookie Policy must identify each third party and provide links to their privacy policies.
9. User Rights
Users have the right to:
-
Be informed about the use of cookies.
-
Withdraw consent at any time.
-
Request deletion of personal data collected through cookies (where applicable).
-
Lodge a complaint with a Data Protection Authority.
10. Responsibilities
-
Data Protection Officer (DPO) or Privacy Lead: Oversight of cookie compliance and consent management.
-
Web Administrator/Developer: Implementation of consent tools, banner functionality, and cookie audits.
-
Marketing Team: Ensures advertising and analytics cookies comply with consent requirements.
11. Review and Updates
This Cookies Procedure is reviewed annually or when:
-
There is a change in cookie usage.
-
Legal or regulatory requirements are updated.
-
A data protection audit identifies necessary improvements.
12. Related Documents
-
Privacy Policy
-
Cookie Policy
-
Data Protection Policy
-
Record of Processing Activities (RoPA)
