Cookies and similar technologies help websites and online services run more efficiently. But because they store information about visitors to a website and track user activity, their use raises significant issues around data protection and privacy. Cookie technology is regulated by the Privacy and Electronic Communications Regulations (PECR) in conjunction with GDPR. In line with the regulations, businesses must understand that they are obliged to tell visitors to their websites about cookie use. They must also offer individuals a choice over whether the company or website operator can retain the information derived from cookies. We examine some of the key questions about cookies in more depth below.
We’ll consider the following:
- What are cookies?
- What types of cookies are there?
- How are cookies used?
- How does the PECR relate to cookies?
- How does the GDPR relate to cookies?
- What action do you need to take to obtain cookie consent?
- What does the communication exemption refer to?
- How does the strictly necessary exemption work?
- What do you need to know about the ePrivacy Regulation?
- How to stay on top of cookie compliance
What are cookies?
Cookies are data files that collect information about a website visitor’s use of the site. When the visitor returns to the site the information provided by the cookie technology, stored on the user’s device, means the website recognises the visitor as an existing customer or user, enhancing the effectiveness of the website. Without cookies the website couldn’t remember anything about the visitor so the experience of re-visiting the website would be slower and less personalised. Fingerprinting, local storage and other techniques can operate in the same way as cookies and are regulated in the same way. These techniques are referred to as ‘similar technologies’.
What types of cookies are there?
Cookies can be:
- Session cookies: Limited to a specific browsing session so they will stop working when a user shuts down the internet browser. Websites will be able to connect a web visitor’s actions during the session, for example during an online shopping session.
- Persistent cookies: Will be stored for longer than the current browsing session and so are more intrusive than session cookies.
- First-party cookies: Set by the website the user is visiting.
- Third-party cookies: Established by a different website, for example when the website being visited has mixed elements such as social media links from another website.
How are cookies used?
Cookies and similar technologies are designed to store information about an individual user either during a browsing session or between different visits to a website by the same user. You’ll be familiar with their use if, for example, you shop online and use an online shopping basket that remembers what you have put in it or a website you visit frequently – an online banking platform for example – remembers your preferences on the site.
From the website operator’s perspective cookies are an indispensable tool used to gauge the level of traffic to their site, how users interact with the site, and the commercial value of individual visitors.
How does the PECR relate to cookies?
Under PECR if you are using cookies or similar technologies you must clearly explain to your users:
- What cookies you have set up
- And what the cookies will be used for
You must also obtain user consent to cookie use.
PECR applies these requirements to the ‘terminal equipment’ of ‘subscribers or users’. Terminal equipment will normally be the computer or mobile device on which the cookie is set. Subscribers are the individuals who pay for the use of the internet service to the device and the user is the person using the device when the cookies are in place. Subscribers and users will very often be the same individuals.
How does the GDPR relate to cookies?
GDPR and PECR complement one another in the regulation of cookie and similar technology. PECR states clearly that nothing in PECR ‘shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data’. So, if the way a cookie is set up involves the processing of personal data you must comply with all relevant GDPR rules on processing.
GDPR views cookies as having the capability of being one of a number of types of ‘online identifiers’ (and therefore personal data). Depending on their use, cookies may be capable on their own or – when combined with other online identifiers – of singling out an individual from other users, with all the implications for that individual’s privacy that such identification could entail.
If your cookie use amounts to the processing of personal data, you will need a lawful basis for processing the associated data under GDPR. While there are six lawful ways to process data, in relation to cookies PECR specifies that the only ground for processing that’s appropriate is consent. You cannot rely on any of the other GDPR processing grounds (such as legitimate interests) to process cookie data.
What action do you need to take to obtain cookie consent?
PECR indicates that you must get consent from a subscriber or user but doesn’t define consent. Instead we must look at what is meant by consent under GDPR and apply that to cookie use. To obtain valid consent for cookies you must therefore ensure that:
- Individuals have been clearly informed about what cookies you have and how you use them.
- The users must take positive and clear action to consent to non-essential cookies.
- You explain what third party cookies you use.
- You don’t rely on pre-ticked boxes or similar.
What does the communication exemption refer to?
How does the strictly necessary exemption work?
Where storage of information is essential to the functionality of your online service it may be unnecessary to obtain consent. The most common example of this is the use by an online shopping service of cookies that remember the goods a user has decided to purchase and places them in an online shopping cart: the cookie is ‘strictly necessary’ to the provision of the service so there’s no need to obtain specific consent.
What do you need to know about the ePrivacy Regulation?
It was hoped that the ePrivacy Regulation, updating the PECR and rules on cookie technology would come into force at the same time as GDPR. To date however EU Member States have been unable to agree on the shape of this new electronics communications regulatory regime. It’s thought that the new legislation won’t come into force until 2023. When it is introduced, rules around privacy and electronic communications across the EU will be modernised. Post Brexit the UK’s position remains to be seen.
How to stay on top of cookie compliance
Compliance with PECR and the rules on cookie technology is critical. Breaches will damage the reputation of your business and hurt you financially – directors can be fined up to £500,000 for a PECR breach (and the heavier GDPR penalties may also apply depending on the nature of the breach). Our specialist data protection solicitors advise businesses on PECR/GDPR compliance offering bespoke advice as well as training for staff and regular compliance audits. Some things we might consider as part of a cookie compliance audit include:
- What cookies do you currently have? What category do they fall into? (session, persistent, first/third party)
- What is each cookie used for?
- What personal information (of website visitors) is linked to each cookie?
- What information are the cookies storing?
- Are your cookies processing personal information?
- Do any cookies fall within the strictly necessary exemption?
- Are you getting appropriate consent for cookies that are not exempt?
- Are you providing accurate information to users about each cookie?
Cookie usage, like your online content, will change over time – so regular audits are essential to keep on top of cookie compliance.