Cookie & Tracking Technologies Policy
The Mick Robertson Group Ltd
(Incorporating - RPP -Robertson People & Process , Little Lights Publishing , The Crafty Salopian, TrainWise Technologies)
Cookie & Tracking Technologies Policy
2026 Edition
Document Title
Cookie & Tracking Technologies Policy
Organisation
Robertson People & Process
Document Type
Board and Partner Facing Policy
Version
1.0
Policy Owner
Data Protection Lead
Approved By
Director, Robertson People & Process
Effective Date
On approval
Next Review Date
12 months from approval
Applies To
All RPP websites, digital platforms, employees, contractors, and third-party suppliers
Classification
Internal Governance / External Partner Assurance
Executive Overview
This policy sets out the governance framework adopted by Robertson People & Process for the lawful, transparent, and accountable use of cookies and related tracking technologies across its digital estate. It is intended to provide assurance to directors, partners, clients, suppliers, and other stakeholders that tracking activities are designed, implemented, and monitored in accordance with applicable UK data protection and privacy requirements, and in line with recognised corporate governance expectations.
1. Purpose
RPP is committed to protecting the privacy of all users who visit our websites and digital platforms. This policy sets out how RPP implements, manages, and monitors cookies and tracking technologies in compliance with:
UK GDPR
Privacy and Electronic Communications Regulations (PECR)
Data (Use and Access) Act 2025 (DUAA)
ICO guidance and enforcement expectations
The purpose of this policy is to ensure that all tracking technologies used by RPP are transparent, lawful, and respectful of user choice.
2. Scope
This policy applies to:
All RPP‑owned websites, landing pages, and digital services
All cookies, pixels, SDKs, scripts, and tracking technologies
All employees and contractors involved in website management, analytics, marketing, or development
All third‑party suppliers providing digital services to RPP
3. Definitions
Cookie A small text file stored on a user’s device to support website functionality or tracking.
Tracking Technologies Includes cookies, pixels, SDKs, local storage, fingerprinting, and server‑side tracking.
Strictly Necessary Cookies Essential for the website to function. Do not require consent.
Non‑Essential Cookies Analytics, marketing, profiling, or third‑party tracking. Require consent.
Recognised Legitimate Interests (RLI) DUAA‑defined purposes where legitimate interest may apply, but not for cookies — PECR still requires consent.
4. Policy Statement
RPP will only use cookies and tracking technologies in a manner that is:
Lawful — compliant with PECR, UK GDPR, and DUAA
Transparent — clearly explained to users
Consent‑driven — no non‑essential cookies without explicit user consent
Minimal — collecting only what is necessary
Secure — using appropriate technical controls
Accountable — fully documented and auditable
RPP does not use dark patterns, manipulative consent designs, or pre‑ticked boxes.
5. Cookie Classification
RPP classifies cookies into the following categories:
5.1 Strictly Necessary (No Consent Required)
Used for:
Authentication
Security
Load balancing
Shopping cart functionality
Service continuity
5.2 Functional (Consent Required)
Used for:
Preferences
Enhanced usability
5.3 Analytics (Consent Required)
Used for:
Website performance measurement
User behaviour insights
Traffic analysis
5.4 Marketing (Consent Required)
Used for:
Advertising
Retargeting
Cross‑site tracking
5.5 Profiling (High‑Risk — Consent Required)
Used for:
Behavioural segmentation
Personalisation
Automated decision‑making inputs
6. Consent Management
6.1 Cookie Banner Requirements
RPP will ensure that cookie banners:
Appear before any non‑essential cookies load
Provide Accept All and Reject All with equal prominence
Offer granular controls
Avoid dark patterns
Link to RPP’s Data Protection Complaints Process (mandatory from June 2026)
6.2 Consent Recording
RPP will record:
Timestamp
Consent categories
Policy version
Withdrawal events
User agent
6.3 Withdrawal of Consent
Users may withdraw consent at any time via the Cookie Preference Centre. Withdrawal must take effect immediately.
7. Analytics Configuration
RPP will configure analytics tools to:
Anonymise IP addresses
Reduce data retention periods
Disable cross‑site tracking
Disable demographic/interest reporting unless consented
Use server‑side tracking where appropriate
Apply data minimisation principles
If analytics feed into personalisation or segmentation, RPP will apply DUAA‑required Automated Decision‑Making (ADM) safeguards.
8. Technical Controls
RPP will implement:
8.1 Cookie Blocking
All non‑essential cookies must be blocked until consent is obtained.
8.2 Secure Cookie Attributes
All cookies must use:
Secure
HttpOnly
SameSite=Lax or Strict
Encryption where appropriate
8.3 Automated Cookie Scanning
Monthly scans will be conducted to detect new cookies or trackers.
8.4 Third‑Party Accountability
RPP will document:
Vendor compliance
Data‑processing agreements
Tracking behaviour of embedded scripts
Third‑country transfer risks (DUAA requirement)
9. Documentation and Record-Keeping
RPP will maintain:
Cookie inventory
Consent logs
DPIAs for tracking technologies
Transfer Impact Assessments (TIAs)
ADM assessments (where applicable)
Complaints log (mandatory from June 2026)
All records will be retained in accordance with RPP’s Data Protection Policy.
10. User Rights
Users have the right to:
Be informed about cookies and tracking
Provide or refuse consent
Withdraw consent at any time
Request access to tracking‑related data
Submit a data protection complaint
RPP will respond to Subject Access Requests using the DUAA‑aligned reasonable and proportionate search standard and may “stop the clock” while seeking clarification.
11. Data Protection Complaints Process
RPP will maintain a formal complaints process that:
Acknowledges complaints within 30 days
Logs all complaints
Provides a clear escalation route
Records outcomes and actions
A link to this process will be included in the cookie banner and cookie notice.
12. Roles and Responsibilities
Data Protection Lead
Policy owner
Oversees compliance
Conducts audits and DPIAs
Marketing Team
Ensures consent is obtained before marketing cookies load
Reviews third‑party tracking tools
Web & IT Teams
Implement technical controls
Maintain cookie blocking and scanning tools
All Employees
Follow this policy
Report any concerns or non‑compliance
13. Non-Compliance
Failure to comply with this policy may result in:
Removal of tracking tools
Suspension of marketing activities
Internal investigation
Disciplinary action (where appropriate)
14. Review and Revision
This policy will be reviewed:
Annually
After significant legal changes
After major website updates
Following any data protection incident