Cookies and similar technologies help websites and online services run more efficiently. But because they store information about visitors to a website and track user activity, their use raises issues around data protection and can be invasive to privacy.
Cookies are regulated by the Privacy and Electronic Communications Regulations 2003 (PECR 2003) in conjunction with UK GDPR and the Data Protection Act 2018 (DPA 2018) (where personal data applies). In line with the regulations, businesses must understand that they are obliged to tell visitors to their websites about cookie use. They must also offer individuals a choice over whether the company or website operator can retain the information derived from cookies.
We examine some of the key questions about cookies in more depth below. If you would like assistance in ensuring your website and cookies preferences are compliant with GDPR and PECR, please get in touch and one of our data protection specialist will be able to help.
We’ll consider the following:
- What are cookies?
- What types of cookies are there?
- How are cookies used?
- How does the PECR relate to cookies?
- How does the GDPR relate to cookies?
- What action do you need to take to obtain cookie consent?
- Cookies banner and consent
- Are there any exemptions to needing consent?
- How to stay on top of cookie compliance
What are cookies?
Cookies are data files that collect information about a website visitor’s use of the site. When the visitor returns to the site the information provided by the cookie technology, stored on the user’s device, means the website recognises the visitor as an existing customer or user, enhancing the effectiveness of the website. Cookies are more commonly used to target advertising based on a user’s browsing history. Without cookies the website couldn’t remember anything about the visitor so the experience of re-visiting the website would be slower and less personalised. Fingerprinting, local storage and other techniques can operate in the same way as cookies and are regulated in the same way. These techniques are referred to as ‘similar technologies’.
What types of cookies are there?
Cookies can be:
- Session cookies: Limited to a specific browsing session so they will stop working when a user shuts down the internet browser. Websites will be able to connect a web visitor’s actions during the session, for example during an online shopping session.
- Persistent cookies: Will be stored for longer than the current browsing session and so are more intrusive than session cookies.
- First-party cookies: Set by the website the user is visiting.
- Third-party cookies: Established by a different website, for example when the website being visited has mixed elements such as social media links and banner advertising from another website.
How are cookies used?
Cookies and similar technologies are designed to store information about an individual user either during a browsing session or between different visits to a website by the same user. You’ll be familiar with their use if, for example, you shop online and use an online shopping basket that remembers what you have put in it or a website you visit frequently – an online banking platform for example – remembers your preferences on the site.
From the website operator’s perspective cookies are an indispensable tool used to gauge the level of traffic to their site, how users interact with the site, and the commercial value of individual visitors.
How does the PECR relate to cookies?
Under PECR if you are using cookies or similar technologies you must clearly explain to your users:
- What cookies you have set up
- What the cookies will be used for
You must also obtain user consent to cookie use.
PECR applies these requirements to the ‘terminal equipment’ of ‘subscribers or users’. Terminal equipment will normally be the computer or mobile device on which the cookie is set. Subscribers are the individuals who pay for the use of the internet service to the device and the user is the person using the device when the cookies are in place. Subscribers and users will very often be the same individuals.
How does the GDPR relate to cookies?
GDPR and PECR complement one another in the regulation of cookie and similar technology. PECR states clearly that nothing in PECR ‘shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data’. So, if the way a cookie is set up involves the processing of personal data you must comply with all relevant GDPR rules on processing. However, PECR will take precedence over the GDPR in relation to provisions regarding privacy and electronic communications.
GDPR views cookies as having the capability of being one of several types of ‘online identifiers’, and therefore personal data. Depending on their use, cookies may be capable on their own or – when combined with other online identifiers – of singling out an individual from other users, with all the implications for that individual’s privacy that such identification could entail.
If your cookie use amounts to the processing of personal data, you will need a lawful basis for processing the associated data under GDPR. While there are six lawful ways to process data, in relation to cookies PECR specifies that the only ground for processing that’s appropriate is consent. You cannot rely on any of the other GDPR processing grounds (such as legitimate interests) to process cookie data.
What action do you need to take to obtain cookie consent?
PECR indicates that you must get consent from a subscriber or user but doesn’t define consent. Instead, we must look at what is meant by consent under GDPR and apply that to cookie use. To obtain valid consent for cookies you must therefore ensure that:
- Individuals have been clearly informed about what cookies you have and how you use them
- The users must take positive and clear action to consent to non-essential cookies
- You explain what third party cookies you use
- You don’t rely on pre-ticked boxes or similar
Cookies banner and consent
A cookies banner on your website is the easiest way to obtain consent. The newly formed cookies task force taskforce which was put together to respond to complaints concerning cookie banners filed by Max Schrems and his team, have now completed their report. We have yet to see the points come into play, however, if implemented, it could ensure minimum requirements for cookie banners. Essentially, the user of a site should be able agree to cookies or be able to reject them, be able to manage them, and have reject buttons on screen. The ICO provides guidance on how to manage and comply with the cookie rules.
Are there any exemptions to needing consent?
There are two exemptions to the PECR cookie rules:
Communication Exemption: For this exemption, a cookie must be essential for transmitting communication over an electronic network, with specific properties like routing information and error detection.
Strictly Necessary Exemption: This exemption applies to 'information society services' and is limited to storing essential information for the requested service. It does not cover other potential data uses. For example, in an e-commerce website, a cookie remembering user choices during checkout is 'strictly necessary,' requiring no consent.
Assessing what is 'strictly necessary' should be from the user or subscriber's perspective, not the service provider's.
How to stay on top of cookie compliance
Compliance with PECR and the rules on cookie technology is critical. Breaches will damage the reputation of your business and hurt you financially – the ICO can impose financial penalties of up to £500,000 for a PECR breach (and the heavier GDPR penalties may also apply depending on the nature of the breach). Our specialist data protection solicitors can assist your business with PECR/GDPR compliance through tailored advice as well as training for staff and regular compliance audits. Some things we might consider as part of a cookie compliance audit include:
- What cookies do you currently have? What category do they fall into? (session, persistent, first/third party)
- What is each cookie used for?
- What personal information (of website visitors) is linked to each cookie?
- What information are the cookies storing?
- Are your cookies processing personal information?
- Do any cookies fall within the strictly necessary exemption?
- Are you getting appropriate consent for cookies that are not exempt?
- Are you providing accurate information to users about each cookie?
Cookie usage, like your online content, will change over time, so regular audits are essential to keep on top of cookie compliance.