GDPR And Cookies: What You Need To Know

Last updated: 11 August 2020

Estimated reading time: 6 minutes

Member View

Cookies and similar technologies help websites and online services run more efficiently. But because they store information about visitors to a website and track user activity, their use raises significant issues around data protection and privacy. Cookie technology is regulated by the Privacy and Electronic Communications Regulations (PECR) in conjunction with GDPR. In line with the regulations, businesses must understand that they are obliged to tell visitors to their websites about cookie use. They must also offer individuals a choice over whether the company or website operator can retain the information derived from cookies. We examine some of the key questions about cookies in more depth below.

We’ll consider the following:

  1. What are cookies?
  2. What types of cookies are there?
  3. How are cookies used?
  4. How does the PECR relate to cookies?
  5. How does the GDPR relate to cookies?
  6. What action do you need to take to obtain cookie consent?
  7. What does the communication exemption refer to?
  8. How does the strictly necessary exemption work?
  9. What do you need to know about the ePrivacy Regulation?
  10. How to stay on top of cookie compliance

What are cookies?

Cookies are data files that collect information about a website visitor’s use of the site. When the visitor returns to the site the information provided by the cookie technology, stored on the user’s device, means the website recognises the visitor as an existing customer or user, enhancing the effectiveness of the website. Without cookies the website couldn’t remember anything about the visitor so the experience of re-visiting the website would be slower and less personalised. Fingerprinting, local storage and other techniques can operate in the same way as cookies and are regulated in the same way. These techniques are referred to as ‘similar technologies’.

What types of cookies are there?

Cookies can be:

  • Session cookies: Limited to a specific browsing session so they will stop working when a user shuts down the internet browser. Websites will be able to connect a web visitor’s actions during the session, for example during an online shopping session.
  • Persistent cookies: Will be stored for longer than the current browsing session and so are more intrusive than session cookies.
  • First-party cookies: Set by the website the user is visiting.
  • Third-party cookies: Established by a different website, for example when the website being visited has mixed elements such as social media links from another website.

How are cookies used?

Cookies and similar technologies are designed to store information about an individual user either during a browsing session or between different visits to a website by the same user. You’ll be familiar with their use if, for example, you shop online and use an online shopping basket that remembers what you have put in it or a website you visit frequently – an online banking platform for example – remembers your preferences on the site.

From the website operator’s perspective cookies are an indispensable tool used to gauge the level of traffic to their site, how users interact with the site, and the commercial value of individual visitors.

How does the PECR relate to cookies?

Under PECR if you are using cookies or similar technologies you must clearly explain to your users:

  • What cookies you have set up
  • And what the cookies will be used for

You must also obtain user consent to cookie use.

PECR applies these requirements to the ‘terminal equipment’ of ‘subscribers or users’. Terminal equipment will normally be the computer or mobile device on which the cookie is set. Subscribers are the individuals who pay for the use of the internet service to the device and the user is the person using the device when the cookies are in place. Subscribers and users will very often be the same individuals.

The information you provide on cookies must be in a form that’s compliant with GDPR rules on transparency and processing data. In line with GDPR requirements you must provide information in as user-friendly a way as possible. Remember, when developing a cookie policy many users won’t have a detailed understanding of what precisely cookie technology involves.

How does the GDPR relate to cookies?

GDPR and PECR complement one another in the regulation of cookie and similar technology. PECR states clearly that nothing in PECR ‘shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data’. So, if the way a cookie is set up involves the processing of personal data you must comply with all relevant GDPR rules on processing.

GDPR views cookies as having the capability of being one of a number of types of ‘online identifiers’ (and therefore personal data). Depending on their use, cookies may be capable on their own or – when combined with other online identifiers – of singling out an individual from other users, with all the implications for that individual’s privacy that such identification could entail.

If your cookie use amounts to the processing of personal data, you will need a lawful basis for processing the associated data under GDPR. While there are six lawful ways to process data, in relation to cookies PECR specifies that the only ground for processing that’s appropriate is consent. You cannot rely on any of the other GDPR processing grounds (such as legitimate interests) to process cookie data.

What action do you need to take to obtain cookie consent?

PECR indicates that you must get consent from a subscriber or user but doesn’t define consent. Instead we must look at what is meant by consent under GDPR and apply that to cookie use. To obtain valid consent for cookies you must therefore ensure that:

  • Individuals have been clearly informed about what cookies you have and how you use them.
  • The users must take positive and clear action to consent to non-essential cookies.
  • You explain what third party cookies you use.
  • You don’t rely on pre-ticked boxes or similar.

What does the communication exemption refer to?

You won’t have to get the consent of an individual to the use of cookies where this exemption applies. It relates to the transmission of a communication over an electronic communications network. If certain conditions are fulfilled and the communication would be impossible without the cookie use, then consent will not be necessary.

How does the strictly necessary exemption work?

Where storage of information is essential to the functionality of your online service it may be unnecessary to obtain consent. The most common example of this is the use by an online shopping service of cookies that remember the goods a user has decided to purchase and places them in an online shopping cart: the cookie is ‘strictly necessary’ to the provision of the service so there’s no need to obtain specific consent.

What do you need to know about the ePrivacy Regulation?

It was hoped that the ePrivacy Regulation, updating the PECR and rules on cookie technology would come into force at the same time as GDPR. To date however EU Member States have been unable to agree on the shape of this new electronics communications regulatory regime. It’s thought that the new legislation won’t come into force until 2023. When it is introduced, rules around privacy and electronic communications across the EU will be modernised. Post Brexit the UK’s position remains to be seen.

How to stay on top of cookie compliance

Compliance with PECR and the rules on cookie technology is critical. Breaches will damage the reputation of your business and hurt you financially – directors can be fined up to £500,000 for a PECR breach (and the heavier GDPR penalties may also apply depending on the nature of the breach). Our specialist data protection solicitors advise businesses on PECR/GDPR compliance offering bespoke advice as well as training for staff and regular compliance audits. Some things we might consider as part of a cookie compliance audit include:

  • What cookies do you currently have? What category do they fall into? (session, persistent, first/third party)
  • What is each cookie used for?
  • What personal information (of website visitors) is linked to each cookie?
  • What information are the cookies storing?
  • Are your cookies processing personal information?
  • Do any cookies fall within the strictly necessary exemption?
  • Are you getting appropriate consent for cookies that are not exempt?
  • Are you providing accurate information to users about each cookie?
  • Is there a clear link to your cookie policy to enable users to encourage transparency and ensure user consent is properly given?

Cookie usage, like your online content, will change over time – so regular audits are essential to keep on top of cookie compliance.

Back to table of contents

What next?

If you need advice on GDPR and electronic communication regulation, our specialist solicitors can help. Call us on 0800 689 1700, email us at enquiries@hjsolicitors.co.uk, or fill out the short form below with your enquiry.

  • Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our privacy policy.

  • This field is for validation purposes and should be left unchanged.
  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 2, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
Like what you're reading?

Like what you're reading? Get new articles delivered to your inbox

Join 8,067 entrepreneurs reading our latest news, guides and insights.

Subscribe