Cookie Policy

1. Purpose

This policy explains how Kensington Square Therapy Ltd (“KST”) uses cookies and similar tracking technologies on its website at www.kensingtonsquaretherapy.co.uk.

The purpose of this policy is to inform website visitors, including parents, carers, school staff, and prospective clients, about what cookies are deployed, why they are used, what data they collect, and how visitors may exercise control over their cookie preferences.

This policy supports KST’s compliance with the Privacy and Electronic Communications Regulations 2003 (PECR), the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018.

2. Scope

This policy applies to all cookies and similar technologies (including local storage objects, pixel tags, and web beacons) deployed on www.kensingtonsquaretherapy.co.uk.

It covers all website visitors, regardless of whether they are existing clients, prospective clients, parents, carers, school staff, subcontracted therapists, or general visitors.

This policy does not cover data processing within KST’s secure clinical records system (Kiku) or internal administrative platforms (Google Workspace), which are governed by the KST Data Protection Policy and Privacy Notice.

3. Definitions

• Cookie: A small text file placed on a visitor’s device by a website or its service providers. Cookies allow the website to recognise the device and store limited information about the visit.
• First-Party Cookie: A cookie set directly by the KST website domain.
• Third-Party Cookie: A cookie set by an external service provider integrated with the KST website (e.g. Google Analytics, an embedded form provider).
• Session Cookie: A temporary cookie deleted when the browser is closed.
• Persistent Cookie: A cookie that remains on the device for a set duration or until manually deleted.
• Consent: A freely given, specific, informed, and unambiguous indication of a data subject’s wishes, as defined by Article 4(11) UK GDPR and Regulation 6 PECR.
• PECR: The Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), which govern the use of cookies in the UK.

4. Legal and Regulatory Framework

This policy operates within the following legal and statutory framework:

• Privacy and Electronic Communications Regulations 2003 (PECR)
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• ICO Guidance on Cookies and Similar Technologies (updated 2024)
• ICO Guidance on Consent under UK GDPR

Under PECR Regulation 6, cookies that are not strictly necessary for the provision of a service explicitly requested by the user require the user’s informed consent before they are set. The ICO has confirmed that consent for cookies must meet the UK GDPR standard: it must be freely given, specific, informed, and unambiguous.

Pre-ticked boxes, implied consent through continued browsing, and cookie walls that deny access unless all cookies are accepted do not constitute valid consent under current UK law.

5. Roles and Responsibilities

KST Director (Sam McManus)

Accountable for ensuring that the KST website complies with PECR and UK GDPR in respect of cookie deployment. Responsible for approving this policy and ensuring that any website changes are assessed for cookie compliance prior to deployment.

Website Administrator / Developer

Responsible for implementing and maintaining the cookie consent mechanism, ensuring that non-essential cookies are blocked until valid consent is obtained, and conducting periodic cookie audits when instructed by the Director.

Data Protection Lead (Sam McManus)

Responsible for maintaining the cookie register, reviewing third-party processor agreements for cookie-related data processing, responding to data subject enquiries relating to cookies, and escalating any compliance concerns.

6. Operational Procedure

6.1 Cookie Consent Mechanism

The KST website deploys a cookie consent banner on a visitor’s first visit. The banner must:

1. Clearly inform the visitor that the site uses cookies;
2. Explain the categories of cookies used (strictly necessary, analytics, functional);
3. Provide a mechanism to accept or reject each category of non-essential cookie;
4. Not pre-tick any non-essential cookie category;
5. Provide an equally prominent option to reject non-essential cookies as to accept them;
6. Not use dark patterns, manipulative design, or confusing language to influence consent; and
7. Link to this Cookie Policy for further information.

Non-essential cookies must not be set or loaded until the visitor has provided affirmative consent for the relevant category. Strictly necessary cookies may be set without consent, as permitted under PECR Regulation 6(4).

6.2 Categories of Cookies Used

KST classifies cookies into the following categories:

Category 1: Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be switched off. They are typically set in response to actions taken by the visitor, such as setting privacy preferences, completing a contact form, or maintaining a browsing session. No consent is required for strictly necessary cookies under PECR.

Category 2: Analytics Cookies

These cookies allow KST to understand how visitors interact with the website by collecting information about pages visited, time spent on the site, and traffic sources. This information is used to improve the website and its content. Analytics cookies are set only with the visitor’s explicit consent.

Category 3: Functional Cookies

These cookies enable enhanced functionality and personalisation, such as embedded contact forms or video content. They may be set by KST or by third-party providers whose services are integrated into KST’s pages. Functional cookies that are not strictly necessary require the visitor’s explicit consent.

Note: The cookies listed above reflect the website configuration at the date of this policy. KST will update this schedule when cookies are added, removed, or changed. Visitors are encouraged to review this policy periodically.

6.3 Withdrawal and Management of Consent

Visitors may withdraw or modify their cookie preferences at any time by:

1. Clicking the cookie preferences link in the website footer to reopen the consent banner;
2. Deleting cookies through their browser settings; or
3. Adjusting browser settings to block cookies from specific domains.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. KST does not penalise visitors who decline non-essential cookies; all substantive website content remains accessible without analytics or functional cookies.

6.4 Cookie Audit and Review

KST will conduct a cookie audit at least annually, or following any material change to the website, to verify that:

1. All cookies deployed are documented in this policy;
2. No undisclosed cookies are being set;
3. The consent mechanism is functioning correctly; and
4. Third-party cookie providers remain compliant with their data processing agreements.

7. Safeguarding Considerations

The KST website may be accessed by children and young people, either directly or through parental devices. KST does not deploy cookies that profile children or create behavioural advertising segments.

Analytics data collected via cookies is aggregated and anonymised. No attempt is made to identify individual child visitors through cookie data.

Where the website is accessed from a school device or network, cookies deployed by KST will be limited to the categories disclosed in this policy. KST does not deploy tracking technologies that would enable cross-site tracking of school users.

The cookie consent mechanism is designed to be clear and accessible to a lay audience, including parents and carers who may have limited familiarity with data protection terminology.

8. Data Protection Considerations

Lawful Basis

Where cookies collect personal data (such as IP addresses or device identifiers), the lawful basis for processing is consent under Article 6(1)(a) UK GDPR, obtained through the cookie consent mechanism.

Strictly necessary cookies that do not collect personal data, or that process personal data solely for the purpose of carrying out the transmission of a communication or providing a service explicitly requested by the visitor, rely on the PECR exemption at Regulation 6(4) and do not require separate UK GDPR consent.

Data Transfers

Google Analytics data may be processed on servers outside the United Kingdom. Google LLC operates under UK International Data Transfer Agreement (IDTA) safeguards. The KST Director will review transfer mechanisms annually and update this policy if the legal basis for international transfers changes.

Data Subject Rights

Visitors have the right to request information about what cookie data has been collected, to request deletion of cookie data, and to withdraw consent at any time. Requests should be directed to [email protected] and will be responded to within one calendar month.

Data Protection Impact Assessment

KST has assessed that a full DPIA is not required for the current cookie deployment, on the basis that analytics data is aggregated, no special category data is processed via cookies, and no profiling or automated decision-making is undertaken. This assessment will be reviewed annually or if the website’s cookie usage materially changes.

9. Risk Management

10. Record Keeping

KST maintains the following records in relation to cookie compliance:

1. Cookie Register: a schedule of all cookies deployed, their purpose, category, and duration, maintained by the Data Protection Lead.
2. Consent Records: the cookie consent management platform retains records of consent events, including timestamps, consent choices, and the version of the cookie policy in effect at the time of consent.
3. Cookie Audit Log: records of periodic cookie audits, including findings and any remedial actions taken.
4. Third-Party Processor Records: copies of data processing agreements with cookie-related third-party providers (e.g. Google Analytics).

Records are stored securely within Google Workspace with access restricted to the Director and authorised personnel.

11. Training Requirements

The following training requirements apply:

• Director / Data Protection Lead: Understanding of PECR cookie requirements, ICO enforcement trends, and consent mechanism configuration. Reviewed annually.
• Website Administrator / Developer: Technical implementation of cookie consent mechanisms, cookie auditing procedures, and script blocking configuration. Reviewed following any website platform change.

Training completion is recorded in the KST Training Log maintained within Google Workspace.

12. Monitoring and Audit

Compliance with this policy is monitored through:

1. Annual cookie audit: a systematic review of all cookies deployed on the website against this policy, conducted by or on behalf of the Director.
2. Consent mechanism testing: verification that the consent banner functions correctly, that non-essential cookies are blocked until consent is obtained, and that preference withdrawal operates as intended.
3. Third-party review: annual review of data processing agreements with cookie-related service providers.
4. ICO guidance monitoring: the Data Protection Lead monitors ICO publications and enforcement actions relating to cookies and PECR to identify any required changes.

Audit findings and actions are recorded and reported to the Director.

13. Review Cycle

This policy will be reviewed annually or sooner if:

1. Statutory or regulatory guidance changes (including ICO enforcement decisions or updated guidance);
2. The website is materially redesigned or migrated to a new platform;
3. New cookies or tracking technologies are deployed;
4. A data breach or complaint relating to cookie processing occurs; or
5. A third-party cookie provider changes its data processing terms.

14. Related Policies

• KST Data Protection Policy
• KST Privacy Policy (Privacy Notice)
• KST Safeguarding Policy
• KST Confidentiality Policy
• KST Data Breach Response Plan
• KST Data Subject Access Request Procedure

15. Governance Maturity Assessment

16. Version Control