Is Your Cookie Policy and Cookie Popup On Your Recruitment Website Complying With UK & EU Laws?

I spend my days looking through recruitment websites, spotting vulnerabilities and improvements that recruitment agency owners could make and subsequently pitching my web development services to those firms. You would honestly be surprised how many recruitment websites are not compliant with UK & EU law and these aren’t just small companies; I often come across recruitment agencies with 50+ consultants who are illegally collecting user data."

Failure to follow these laws could ultimately result in reputational damage, expensive court cases and huge fines for your business, the size of which could quite easily cripple it! 

There’s a fair amount of technical terminology and legalese here but I’ll aim to lay it down in a rough, sensible order that makes sense to someone without a background in the technical or legal fields. We’ll briefly cover your cookie popup, what cookies are, types of cookies we’ll likely encounter on recruitment websites, the UK & EU laws that surround this issue, how to craft a cookie & privacy policy, how to test your website to see if it is compliant and the implications for not following these laws. 

What are cookies? 

I’ll keep this brief as I’m sure you have a rough idea but cookies are small pieces of data that your recruitment website will send to a user's computer or mobile device while they are browsing. These data files are stored on the user's device and are used by websites to remember information about the user. The primary purpose of cookies is to enhance and personalise the user experience on the web, as well as to assist in analysing website traffic and user behaviour. 

What are necessary cookies? 

Necessary cookies are essential for the basic functionality of the website and do not require user consent. Examples specific to a recruitment agency website would include…

Session cookies used to maintain user sessions, especially important for sections of your recruitment website where users log in, such as candidate or client portals. 

Security cookies, essential for protecting user data against unauthorised access, are also necessary. They're crucial for safeguarding personal data, such as CVs and contact information.

I rarely see accessibility cookies being used at all but these would also fall under the category of being necessary. They are used to remember user accessibility preferences, such as text size or contrast settings, ensuring a consistent experience for users with disabilities. 

On larger websites we may also use load balancing cookies, which distributes web traffic evenly across servers, ensuring the website remains functional and responsive during high traffic periods - however this is likely to be done via the company’s cloud provider instead. 

The issue I am consistently seeing is recruitment agency websites sending visitor data to Google Analytics to track which pages they visit, along with other related analytics and these do not fall under the category of "necessary cookies." Under UK and EU law, particularly the GDPR and the ePrivacy Directive, using analytics cookies typically requires explicit consent from the user. This is because they collect data on user behaviour, which, while not necessarily personally identifying, still falls under the purview of personal data usage and privacy.

What types of cookies are there? 

The main cookies you’ll likely encounter are…

Session cookies, as mentioned previously, which are deleted as a user’s session ends (when you close down the tab or navigate away from the website). 

Persistent cookies, which remain on a user’s device for a predetermined period.

First-party cookies, which are set by the website you're visiting directly and are often used to remember information about you, such as your login status or site preferences.

Third-party cookies, which are set by domains other than the one visited.

Why and how do websites use cookies?

Cookies are typically used on recruitment websites to personalise the user experience, specifically tracking analytics - collecting information on which pages users visit and how long they spend on your website. They are placed on users' devices through code embedded in websites, which activates when a user visits the site.

Your cookie popup

When your website initially loads your cookie policy should immediately pop up on screen and should be prominently displayed and accessible. It should provide options for users to accept all cookies, reject all (except necessary cookies) and you can include a third option which allows users to customise their preferences. Offering an opt-out option is a crucial aspect of compliance, you must allow users to reject non-essential cookies.

It should also include a link to a page on your website where you keep your full cookie policy. Within this you should explain what cookies are and why they are being used. Be transparent about the types of cookies (e.g., necessary, performance, targeting). This policy should ideally be run past a solicitor but avoid legal jargon and aim to use simple, clear language that’s accessible to all users.

We’d recommend speaking with Barry Cullen at recLAW who specialises in a range of legal matters within the recruitment industry.  

Cookie laws

There are two main laws that apply to the use of cookies on websites that are hosted in the UK and EU.

The first of these laws is the UK Privacy and Electronic Communications Regulations (PECR). Under PECR, websites must inform users about the cookies they use, explain what the cookies are doing, and obtain consent before placing cookies on a user’s device, except for strictly necessary cookies.

The second is the EU General Data Protection Regulation (GDPR) and ePrivacy Directive. GDPR emphasises the need for clear and affirmative consent for the use of personal data, including data collected through cookies. And The ePrivacy Directive, often known as the “Cookie Law,” requires EU-based websites to obtain user consent before using cookies, with exceptions for necessary cookies.

How to see if my recruitment website is compliant? 

You don’t have to be a developer to see if your website is compliant. Just follow these steps and we can see if it is or if you need to go back to your developer immediately! Alternatively give me a call and I can take you through the process. 

1) Open up a Google Chrome Incognito browser. 

2) Right click on the browser window (where your website will appear) and from this toolbar, select Inspect

3) From the top panel select Network

4) Enter your recruitment website homepage url into the url bar

5) Now we should expect to be faced with your homepage and I assume a cookie popup with an opt out option. You have to provide users an opt out option. You will also see the Network section being populated with a bunch of text that doesn’t make much sense. This is your website making requests to retrieve the fonts, colours, images, any external code it needs, etc. 

6) Now assuming we haven’t accepted any cookies, if in the Network tab you can see something with an orange square next to it with the text “js?id=G-.........” then this is your website making a call to Google Analytics, likely to collect user data on which pages they visit. This shouldn’t occur until a user has selected to accept cookies. 

7) Now alongside the Network tab there should be a tab called Application, click this. Now click on Cookies, if this is populated with something then you are likely collecting user data without their permission and could be in breach of UK & EU law. 

How do I craft a compliant cookie policy?

You’ll likely need to speak with a solicitor at this stage to ensure it is fully compliant with UK & EU laws - such as Barry Cullen who we mentioned earlier. You can craft the basic outline yourself if you like and key components will include a clear explanation of what cookies are used, their purpose, and duration. Also details on how to manage and delete cookies and explicit mention of third-party cookies if any are used.

Failure to follow these laws 

If your recruitment website fails to follow UK and EU cookie laws, you could face several significant repercussions. 

First and foremost is the reputational damage and loss of trust from clients and candidates. As a recruitment agency you are likely handling a huge amount of personal data, including candidate addresses, email addresses, telephone numbers, NI numbers, bank details, passports, visas, client bank account details, etc. This data will not be exposed through a malfunctioning cookie popup and code, however when a recruitment agency comes under fire for breaking GDPR laws, clients & candidates will automatically think of the aforementioned data too. 

Failure to comply immediately with warnings from regulatory bodies could mean your agency is likely to face legal actions or audits from regulatory authorities, leading to a possible halt in your operations until compliance is achieved. Compliance can be remedied within a couple of days (from a technical standpoint), however public bodies are likely to be much slower when reviewing your compliance. 

And lastly, non-compliance can lead to hefty fines. Under GDPR, fines can reach up to €20 million or 4% of the company's global annual turnover, whichever is higher. In the reporting period 2018-2023, the average fine was around EUR 1,755,366 across all countries. This is enough to cripple the majority of recruitment agencies.

If you are worried if your recruitment website is compliant then please get in touch and I’ll happily take you through in a 5 minute call.