Cookies and visitor activity trackers

Visitor activity trackers help you to track your website visitors. They usually use cookies or similar technology to tell you which pages your visitors access and how they interact with the website, for example whether they use the search function.

Cookies are small files, which are downloaded to a user’s device when accessing certain websites. These cookies allow the website to recognise the user's device and store some information about how the user is using a website.

For further information about the use of cookies and similar technologies, see the guidance from the Information Commissioner’s Office (ICO).

Websites use three types of cookies:

• essential or necessary: to enable the website to function as intended
• analytics: to enable organisations to see what pages people are looking at, or how they are using the website
• marketing: used to promote products or services

If you want to use cookies and similar technologies that are not strictly essential or necessary for the operation of the website, you are required to obtain user consent. This is usually done via a pop-up on the website. The ICO provides guidance on how to obtain consent including helpful pictures of compliant cookie banners.

Inappropriate use of visitor activity trackers could result in a breach of data protection laws. This could occur if for example excessive information  was collected by an activity tracker, particularly where marketing cookies are installed.

Inappropriate use of visitor activity trackers could also pose a risk to confidentiality. For example, if user-derived information such as an IP address or personal details input by the user are linked with their search for health and care information about a specific condition. This could especially apply if the website asks the user to confirm if they have the condition.  

To ensure you are not collecting excessive data, it is important to regularly audit your tracking or profiling of website users and the data you are storing or passing to tracking services. You can use readily available low cost analytics tools to audit and categorise the types of cookies on your website. This will enable you to isolate or remove cookies you do not require.

To ensure that the tracking and profiling activity on your website is appropriate, you should:

• have clear lines of accountability and responsibility for tracking and profiling activity within your organisation (who authorises the use of cookies or similar technology, who can deploy them)
• have a clear process for monitoring of visitor activity tracking and profile management within the organisation (for example, regularly scanning cookies deployed, highlighting new or suspect cookies for further investigation)
• ensure visitor activity trackers cannot be added or removed from their website without organisational approval - this applies to internal and external staff, such as contractors

You should ensure that the public accessing your website understands:

• what tracking mechanisms (such as cookies) you use
• why you use those tracking mechanisms
• what choice (if any) the public has about the cookies used

This could be enabled by a cookie pop-up when users first access your site, giving them the opportunity to choose which cookies to accept and to find more information about their use. Your website transparency information should also include information about the organisations you are sharing data with and for what purpose.