Knowledge Hub
for Growth


GDPR and cookie consent: What you need to know

Cookies and similar technologies help websites and online services run more efficiently. But because they store information about visitors to a website and track user activity, their use raises issues around data protection and can be invasive to privacy.

Cookies are regulated by the Privacy and Electronic Communications Regulations 2003 (PECR 2003) in conjunction with UK GDPR and the Data Protection Act 2018 (DPA 2018) (where personal data applies). In line with the regulations, businesses must understand that they are obliged to tell visitors to their websites about cookie use. They must also offer individuals a choice over whether the company or website operator can retain the information derived from cookies.

We examine some of the key questions about cookies in more depth below. If you would like assistance in ensuring your website and cookies preferences are compliant with GDPR and PECR, please get in touch and one of our data protection specialist will be able to help.

What are cookies?

Cookies are data files that collect information about a website visitor’s use of the site. When the visitor returns to the site the information provided by the cookie technology, stored on the user’s device, means the website recognises the visitor as an existing customer or user, enhancing the effectiveness of the website. Cookies are more commonly used to target advertising based on a user’s browsing history. Without cookies the website couldn’t remember anything about the visitor so the experience of re-visiting the website would be slower and less personalised. Fingerprinting, local storage and other techniques can operate in the same way as cookies and are regulated in the same way. These techniques are referred to as ‘similar technologies’.

What types of cookies are there?

Cookies can be:

  • Session cookies: Limited to a specific browsing session so they will stop working when a user shuts down the internet browser. Websites will be able to connect a web visitor’s actions during the session, for example during an online shopping session.
  • Persistent cookies: Will be stored for longer than the current browsing session and so are more intrusive than session cookies.
  • First-party cookies: Set by the website the user is visiting.
  • Third-party cookies: Established by a different website, for example when the website being visited has mixed elements such as social media links and banner advertising from another website.

How are cookies used?

Cookies and similar technologies are designed to store information about an individual user either during a browsing session or between different visits to a website by the same user. You’ll be familiar with their use if, for example, you shop online and use an online shopping basket that remembers what you have put in it or a website you visit frequently – an online banking platform for example – remembers your preferences on the site.

From the website operator’s perspective cookies are an indispensable tool used to gauge the level of traffic to their site, how users interact with the site, and the commercial value of individual visitors.

How does the PECR relate to cookies?

Under PECR if you are using cookies or similar technologies you must clearly explain to your users:

  • What cookies you have set up
  • What the cookies will be used for

You must also obtain user consent to cookie use.

PECR applies these requirements to the ‘terminal equipment’ of ‘subscribers or users’. Terminal equipment will normally be the computer or mobile device on which the cookie is set. Subscribers are the individuals who pay for the use of the internet service to the device and the user is the person using the device when the cookies are in place. Subscribers and users will very often be the same individuals.

The information you provide on cookies must be in a form that’s compliant with GDPR rules on transparency and processing data. In line with GDPR requirements you must provide information in as user-friendly a way as possible. Remember, when developing a cookie policy many users won’t have a detailed understanding of what precisely cookie technology involves.

How does the GDPR relate to cookies?

GDPR and PECR complement one another in the regulation of cookie and similar technology. PECR states clearly that nothing in PECR ‘shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data’. So, if the way a cookie is set up involves the processing of personal data you must comply with all relevant GDPR rules on processing. However, PECR will take precedence over the GDPR in relation to provisions regarding privacy and electronic communications.

GDPR views cookies as having the capability of being one of several types of ‘online identifiers’, and therefore personal data. Depending on their use, cookies may be capable on their own or – when combined with other online identifiers – of singling out an individual from other users, with all the implications for that individual’s privacy that such identification could entail.

If your cookie use amounts to the processing of personal data, you will need a lawful basis for processing the associated data under GDPR. While there are six lawful ways to process data, in relation to cookies PECR specifies that the only ground for processing that’s appropriate is consent. You cannot rely on any of the other GDPR processing grounds (such as legitimate interests) to process cookie data.

What action do you need to take to obtain cookie consent?

PECR indicates that you must get consent from a subscriber or user but doesn’t define consent. Instead, we must look at what is meant by consent under GDPR and apply that to cookie use. To obtain valid consent for cookies you must therefore ensure that:

  • Individuals have been clearly informed about what cookies you have and how you use them
  • The users must take positive and clear action to consent to non-essential cookies
  • You explain what third party cookies you use
  • You don’t rely on pre-ticked boxes or similar

Cookies banner and consent

A cookies banner on your website is the easiest way to obtain consent. The newly formed cookies task force taskforce which was put together to respond to complaints concerning cookie banners filed by Max Schrems and his team, have now completed their report. We have yet to see the points come into play, however, if implemented, it could ensure minimum requirements for cookie banners. Essentially, the user of a site should be able agree to cookies or be able to reject them, be able to manage them, and have reject buttons on screen. The ICO provides guidance on how to manage and comply with the cookie rules.

Are there any exemptions to needing consent?

There are two exemptions to the PECR cookie rules:

Communication Exemption: For this exemption, a cookie must be essential for transmitting communication over an electronic network, with specific properties like routing information and error detection.

Strictly Necessary Exemption: This exemption applies to 'information society services' and is limited to storing essential information for the requested service. It does not cover other potential data uses. For example, in an e-commerce website, a cookie remembering user choices during checkout is 'strictly necessary,' requiring no consent.

Assessing what is 'strictly necessary' should be from the user or subscriber's perspective, not the service provider's.

How to stay on top of cookie compliance

Compliance with PECR and the rules on cookie technology is critical. Breaches will damage the reputation of your business and hurt you financially – the ICO can impose financial penalties of up to £500,000 for a PECR breach (and the heavier GDPR penalties may also apply depending on the nature of the breach). Our specialist data protection solicitors can assist your business with PECR/GDPR compliance through tailored advice as well as training for staff and regular compliance audits. Some things we might consider as part of a cookie compliance audit include:

  • What cookies do you currently have? What category do they fall into? (session, persistent, first/third party)
  • What is each cookie used for?
  • What personal information (of website visitors) is linked to each cookie?
  • What information are the cookies storing?
  • Are your cookies processing personal information?
  • Do any cookies fall within the strictly necessary exemption?
  • Are you getting appropriate consent for cookies that are not exempt?
  • Are you providing accurate information to users about each cookie?
  • Is there a clear link to your cookie policy to enable users to encourage transparency and ensure user consent is properly given?

Cookie usage, like your online content, will change over time, so regular audits are essential to keep on top of cookie compliance.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  


What next?

If you need advice on GDPR and electronic communication regulation, our specialist solicitors can help. Call us on 0800 689 1700, email us at enquiries@harperjames.co.uk, or fill out the short form below with your enquiry.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry