What are cookies and other similar technologies?
Cookies are small files of information that are stored on a user's device such as a computer, mobile device or wearable technology. Cookies can be used for a number of purposes, such as: remembering items in a shopping basket when online shopping, enabling users to log in to a website, analysing traffic to a website or tracking users' browsing behaviour.
Functions usually performed by cookies can be achieved by other means, which are "similar technologies". An example is using certain characteristics to gain access to information stored on a device, e.g. using your fingerprint to log in to your smartphone. For the purposes of this article, when we discuss "cookies", we are referring to cookies and similar technologies.
Which law applies?
Key points to note from the ICO
• users must make a clear and positive action to consent, so continuing to browse a website will not constitute valid consent;
• websites and apps must clearly set out what cookies are used and for what purposes before users can consent to them;
• pre-ticked boxes or equivalents, such as sliders defaulted to 'on', cannot be used. "Nudge behaviour" is also non-compliant, i.e. if you influence a user to choose a particular option, such as emphasising an "accept" option over a "reject" option;
• users must be able to withdraw their consent as easily as they gave it and to access websites and apps even if they do not consent to cookies; and
• cookies must not be pre-set on landing pages before consent is obtained.
2. GDPR transparency requirement: when using cookies you must explain what cookies you use and for what purposes. You must provide users with the same level of information as you would do when processing their personal data. This includes any cookies set by third parties.
Strictly necessary exemption
If you rely on the "strictly necessary" exemption you must ensure that the information stored or accessed is only used for that purpose; any secondary use would need to comply with the PECR requirements.
• detect transmission errors or data loss;
• exchange data items in their intended order; or
• route information over a network by identifying the endpoints.
4. Legitimate interests: you are not able to rely on legitimate interests or any other lawful basis under the GDPR for the use of non-essential cookies.
The ICO recommends conducting a cookies audit to establish what cookies you use and for what purposes. The key is to distinguish between essential and non-essential cookies to understand which cookies trigger the requirements of PECR. Your audit should include a review of your mechanisms for obtaining consent for non-essential cookies to ensure that these are valid under the GDPR. You should also identify the most appropriate method of providing information regarding your cookies usage. It is good practice to conduct regular reviews of your cookies usage, which aligns with the GDPR principles of privacy by design and default.
Written by Sarah Moss