Cookie & Tracking Technologies Policy

The Mick Robertson Group Ltd

(Incorporating - RPP -Robertson People & Process , Little Lights Publishing , The Crafty Salopian, TrainWise Technologies)

Cookie & Tracking Technologies Policy
2026 Edition

Document Title

Cookie & Tracking Technologies Policy

Organisation

Robertson People & Process

Document Type

Board and Partner Facing Policy

Version

1.0

Policy Owner

Data Protection Lead

Approved By

Director, Robertson People & Process

Effective Date

On approval

Next Review Date

12 months from approval

Applies To

All RPP websites, digital platforms, employees, contractors, and third-party suppliers

Classification

Internal Governance / External Partner Assurance

Executive Overview

This policy sets out the governance framework adopted by Robertson People & Process for the lawful, transparent, and accountable use of cookies and related tracking technologies across its digital estate. It is intended to provide assurance to directors, partners, clients, suppliers, and other stakeholders that tracking activities are designed, implemented, and monitored in accordance with applicable UK data protection and privacy requirements, and in line with recognised corporate governance expectations.

1. Purpose

RPP is committed to protecting the privacy of all users who visit our websites and digital platforms. This policy sets out how RPP implements, manages, and monitors cookies and tracking technologies in compliance with:

  • UK GDPR

  • Privacy and Electronic Communications Regulations (PECR)

  • Data (Use and Access) Act 2025 (DUAA)

  • ICO guidance and enforcement expectations

The purpose of this policy is to ensure that all tracking technologies used by RPP are transparent, lawful, and respectful of user choice.

2. Scope

This policy applies to:

  • All RPP‑owned websites, landing pages, and digital services

  • All cookies, pixels, SDKs, scripts, and tracking technologies

  • All employees and contractors involved in website management, analytics, marketing, or development

  • All third‑party suppliers providing digital services to RPP

3. Definitions

Cookie A small text file stored on a user’s device to support website functionality or tracking.

Tracking Technologies Includes cookies, pixels, SDKs, local storage, fingerprinting, and server‑side tracking.

Strictly Necessary Cookies Essential for the website to function. Do not require consent.

Non‑Essential Cookies Analytics, marketing, profiling, or third‑party tracking. Require consent.

Recognised Legitimate Interests (RLI) DUAA‑defined purposes where legitimate interest may apply, but not for cookies — PECR still requires consent.

4. Policy Statement

RPP will only use cookies and tracking technologies in a manner that is:

  • Lawful — compliant with PECR, UK GDPR, and DUAA

  • Transparent — clearly explained to users

  • Consent‑driven — no non‑essential cookies without explicit user consent

  • Minimal — collecting only what is necessary

  • Secure — using appropriate technical controls

  • Accountable — fully documented and auditable

RPP does not use dark patterns, manipulative consent designs, or pre‑ticked boxes.

5. Cookie Classification

RPP classifies cookies into the following categories:

5.1 Strictly Necessary (No Consent Required)

Used for:

  • Authentication

  • Security

  • Load balancing

  • Shopping cart functionality

  • Service continuity

5.2 Functional (Consent Required)

Used for:

  • Preferences

  • Enhanced usability

5.3 Analytics (Consent Required)

Used for:

  • Website performance measurement

  • User behaviour insights

  • Traffic analysis

5.4 Marketing (Consent Required)

Used for:

  • Advertising

  • Retargeting

  • Cross‑site tracking

5.5 Profiling (High‑Risk — Consent Required)

Used for:

  • Behavioural segmentation

  • Personalisation

  • Automated decision‑making inputs

6. Consent Management

6.1 Cookie Banner Requirements

RPP will ensure that cookie banners:

  • Appear before any non‑essential cookies load

  • Provide Accept All and Reject All with equal prominence

  • Offer granular controls

  • Avoid dark patterns

  • Link to RPP’s Data Protection Complaints Process (mandatory from June 2026)

6.2 Consent Recording

RPP will record:

  • Timestamp

  • Consent categories

  • Policy version

  • Withdrawal events

  • User agent

6.3 Withdrawal of Consent

Users may withdraw consent at any time via the Cookie Preference Centre. Withdrawal must take effect immediately.

7. Analytics Configuration

RPP will configure analytics tools to:

  • Anonymise IP addresses

  • Reduce data retention periods

  • Disable cross‑site tracking

  • Disable demographic/interest reporting unless consented

  • Use server‑side tracking where appropriate

  • Apply data minimisation principles

If analytics feed into personalisation or segmentation, RPP will apply DUAA‑required Automated Decision‑Making (ADM) safeguards.

8. Technical Controls

RPP will implement:

8.1 Cookie Blocking

All non‑essential cookies must be blocked until consent is obtained.

8.2 Secure Cookie Attributes

All cookies must use:

  • Secure

  • HttpOnly

  • SameSite=Lax or Strict

  • Encryption where appropriate

8.3 Automated Cookie Scanning

Monthly scans will be conducted to detect new cookies or trackers.

8.4 Third‑Party Accountability

RPP will document:

  • Vendor compliance

  • Data‑processing agreements

  • Tracking behaviour of embedded scripts

  • Third‑country transfer risks (DUAA requirement)

9. Documentation and Record-Keeping

RPP will maintain:

  • Cookie inventory

  • Consent logs

  • DPIAs for tracking technologies

  • Transfer Impact Assessments (TIAs)

  • ADM assessments (where applicable)

  • Complaints log (mandatory from June 2026)

All records will be retained in accordance with RPP’s Data Protection Policy.

10. User Rights

Users have the right to:

  • Be informed about cookies and tracking

  • Provide or refuse consent

  • Withdraw consent at any time

  • Request access to tracking‑related data

  • Submit a data protection complaint

RPP will respond to Subject Access Requests using the DUAA‑aligned reasonable and proportionate search standard and may “stop the clock” while seeking clarification.

11. Data Protection Complaints Process

RPP will maintain a formal complaints process that:

  • Acknowledges complaints within 30 days

  • Logs all complaints

  • Provides a clear escalation route

  • Records outcomes and actions

A link to this process will be included in the cookie banner and cookie notice.

12. Roles and Responsibilities

Data Protection Lead

  • Policy owner

  • Oversees compliance

  • Conducts audits and DPIAs

Marketing Team

  • Ensures consent is obtained before marketing cookies load

  • Reviews third‑party tracking tools

Web & IT Teams

  • Implement technical controls

  • Maintain cookie blocking and scanning tools

All Employees

  • Follow this policy

  • Report any concerns or non‑compliance

13. Non-Compliance

Failure to comply with this policy may result in:

  • Removal of tracking tools

  • Suspension of marketing activities

  • Internal investigation

  • Disciplinary action (where appropriate)

14. Review and Revision

This policy will be reviewed:

  • Annually

  • After significant legal changes

  • After major website updates

  • Following any data protection incident