While cookies are the most commonly-known method, any technology used to store information on a user’s device or gain access to information on a user’s device, is subject to the same requirements.
Broadly speaking these requirements currently are:
- The user is told why you want to store information, or access information, on their device; and
- The user must have given their consent to such storage or access.
These are requirements under the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended – these Regulations are often referred to as the PECR.
Are there any exemptions?
Yes, if:
- The cookie (or similar tech) is required for the sole purpose of carrying out the transmission of a communication over an “electronic communications network” (such as a network for phone calls, text messages, emails or internet messaging; examples include wireless networks and mobile phone networks); or
- The storage or access is strictly necessary for the provision of an “information society service” (most online services) requested by the subscriber or user.
In essence, if you need the cookie (or similar tech) to provide the service to the user – for example, to remember the goods a user wishes to buy when they add goods to their online basket – you will probably be able to rely on these exemptions.
It is important however to note that the cookie (or similar tech) must be essential, it cannot just be convenient or preferable.
What does this mean in practice?
- Before a cookie is placed onto a device you should ensure that individuals provide their consent. This means, when someone lands on a webpage, cookies are not placed on the user’s device until their consent is provided.
- You should make sure suitable detail is provided to individuals to allow them to understand what you are placing on their device and why.
- Any consent should require a positive action from the individual, for example you should not used pre-ticked options.
Consent to the use of cookies is usually sought using a pop-up or cookie banner.
What happens if we don’t comply
Compliance with the rules on the use of cookies (and similar tech) is enforced by the Information Commissioner’s Office. A failure to comply could result in a fine and reputational damage in the event you fail to properly implement cookie technology.
What about data protection?
The rules on cookies (and similar tech) apply to the storage of, or access to, any information using that type of technology. It does not need to be personal data.
Often data collected by cookies is personal data. If it is, then as well as comply with the requirements under the PECR, you will also need to comply with the Data Protection Act 2018 and the UK GDPR. It is therefore key that you check what information is being collected, whether it is personal data and whether you have complied with your wider data protection obligations.
Potential changes to the law
Some people consider the website cookie requirements to be onerous. In June 2022, the UK Government published its intention to legislate to remove the need for websites to display cookie banners to UK residents.
The Government has also announced that it intends to move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out (although this model is not expected to apply to websites likely to be accessed by children).
Please keep an eye out for future announcements about the laws applicable to cookies and similar technologies – we will publish details of changes here on our Data Protection Hub.