• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Guidance on the use of cookies and other technologies

19 August 2019
On 3 July 2019 the Information Commissioner's Office ("ICO"), the UK data protection regulator, published updated guidance on the use of cookies and other similar technologies. In this article we provide a summary of what good compliance looks like according to the ICO and some practical tips on how to comply for businesses based in the UK.

What are cookies and other similar technologies?

Cookies are small files of information that are stored on a user's device such as a computer, mobile device or wearable technology. Cookies can be used for a number of purposes, such as: remembering items in a shopping basket when online shopping, enabling users to log in to a website, analysing traffic to a website or tracking users' browsing behaviour. 

Functions usually performed by cookies can be achieved by other means, which are "similar technologies". An example is using certain characteristics to gain access to information stored on a device, e.g. using your fingerprint to log in to your smartphone. For the purposes of this article, when we discuss "cookies", we are referring to cookies and similar technologies. 
Which law applies?

The use of cookies is governed by the Privacy and Electronic Communications Regulations 2003 ("PECR"). PECR applies whether or not the storage or access to information on a user's device involves the processing of personal data. The General Data Protection Regulation (the "GDPR") governs the processing of personal data. Cookies will often, but not always, involve the processing of personal data, e.g. a user authentication cookie used to enable a user to log in to an online account.  While PECR and the GDPR could both apply to the use of cookies, if you are using cookies you must consider PECR before you consider the GDPR. 

 

Key points to note from the ICO

1. GDPR consent: unless an exemption applies, organisations must obtain consent for the use of cookies to the standard required by the GDPR. This means that:

users must make a clear and positive action to consent, so continuing to browse a website will not constitute valid consent;
websites and apps must clearly set out what cookies are used and for what purposes before users can consent to them;
pre-ticked boxes or equivalents, such as sliders defaulted to 'on', cannot be used. "Nudge behaviour" is also non-compliant, i.e. if you influence a user to choose a particular option, such as emphasising an "accept" option over a "reject" option;
users must be able to withdraw their consent as easily as they gave it and to access websites and apps even if they do not consent to cookies; and
cookies must not be pre-set on landing pages before consent is obtained.

2. GDPR transparency requirement: when using cookies you must explain what cookies you use and for what purposes. You must provide users with the same level of information as you would do when processing their personal data. This includes any cookies set by third parties.

3. Exemptions: there are two exceptions to the PECR requirements to obtain consent and provide information about your use of cookies; the "strictly necessary" exemption and "communication" exemption.

Strictly necessary exemption

This exemption applies to the use of cookies which are essential for providing an online service, including complying with applicable laws, e.g. cookies used to remember the items a user has added to their online shopping basket or to comply with GDPR security requirements. What is "strictly necessary" should be determined from the user's perspective. Analytics cookies are used to monitor how users access online services, e.g. how many users visit a website. The use of analytics cookies, while useful for organisations, is not strictly necessary and therefore requires consent.

If you rely on the "strictly necessary" exemption you must ensure that the information stored or accessed is only used for that purpose; any secondary use would need to comply with the PECR requirements.  

Communication exemption

This exemption applies to the use of cookies which are essential for the transmission of a communication over an electronic communications network, such as cookies used to:
detect transmission errors or data loss;
exchange data items in their intended order; or
route information over a network by identifying the endpoints. 

4. Legitimate interests: you are not able to rely on legitimate interests or any other lawful basis under the GDPR for the use of non-essential cookies. 

5. Scope: you should ensure that your use of cookies is proportionate to your intended outcome and limited in scope and duration to what is necessary to achieve your purpose. 

 

Practical Tips

The ICO recommends conducting a cookies audit to establish what cookies you use and for what purposes. The key is to distinguish between essential and non-essential cookies to understand which cookies trigger the requirements of PECR. Your audit should include a review of your mechanisms for obtaining consent for non-essential cookies to ensure that these are valid under the GDPR. You should also identify the most appropriate method of providing information regarding your cookies usage.  It is good practice to conduct regular reviews of your cookies usage, which aligns with the GDPR principles of privacy by design and default. 

 

Conclusion

The ICO's guidance should be considered interim guidance, as it will need to be updated to reflect the long-awaited EU e-Privacy Regulation, which will replace the legislation on which PECR is based. However, the ICO has stated that "cookies compliance will be an increasing regulatory priority" in the future, so organisations should prioritise compliance. If you already use cookies, you should conduct a cookies audit and make any necessary amendments in light of the new guidance, and if you are planning to use new cookies you should take steps to fully comply with applicable legislation and current guidance from the outset. DWF's data protection team are happy to assist you with all aspects of data governance, including your cookies compliance. Please contact us at dataprotection@dwf.law.

 

Written by Sarah Moss

Further Reading