A cookie is a small file of letters and numbers that is downloaded on to a computer or mobile device when a user visits a website or a mobile app. The rules on cookies are covered by the Privacy and Electronic Communications Regulations 2003 (PECR) which state that organisations who use cookies must obtain consent to store cookies on users’ devices.

The UK General Data Protection Regulation (UK GDPR) states that, where cookies can identify an individual, they are considered to be personal data subject to the UK GDPR. Therefore, the consent that is obtained must be to standard applied by the UK GDPR which means it must be “freely given, specific, informed and unambiguous individual of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The consent mechanism used must give users full control over all the cookies the website sets, including any third-party cookies. Cookie banners, pop-ups, message bars or similar techniques are a popular and easy way to achieve compliance, but these cannot be unnecessarily disruptive. For example, a message box designed for display on a desktop wouldn’t affect the customers experience but the message box on a mobile app could be hard to read or interact with so the consent would be invalid.

Pre-ticked boxes or pre-approved slider boxes are inappropriate as there is no affirmative action being given by the user. Cookie walls that require users to accept the setting of cookies before they can access any of the content is also inappropriate in most circumstances as the user has no genuine choice but to agree to the cookies.

The different types of cookies are:

Strictly necessary – these are required for the operation of the website/app. Examples include cookies to allow individuals to log in to certain areas of the website or use a shopping cart. Cookies that are strictly necessary do not require consent, but that cookie must be essential and what is essential will be different depending on the type of website or app.

Analytical or performance cookies – these can record the number of users that visit the website and what they do on the website. They are not essential so consent must be obtained.

Functionality cookies – these recognise users when they return to a certain website so that website can be tailored to them, e.g., by remembering their language preferences or what was in their shopping cart. They are not essential and so consent must be obtained.

Targeting cookies – these record users visit to the website and what they pages/links they visit so they receive targeting advertisements. They are not essential and so consent must be obtained.

PECR also states that organisations who use cookies must give clear and comprehensive information about the cookies. This information has to be as user friendly as possible and cover the cookies that will be used, the purposes for which they are used, any third parties who may also process information stored in or accessed from the user’s device and the duration of any cookies.

In a previous article, we talked about the new Data Protection and Digital Information Bill which could overhaul the current regime on the use of cookies. The Bill proposes to extend the types of cookies which can be placed on users’ devices without consent, which would make compliance easier for organisations. The Bill also proposes to increase the fines organisations could face for breached of PECR, bringing it in line with the UK GDPR. We don’t know what will happen to cookie laws in the future but we do know it’s important you get it right, right now.

If your business needs advice on data protection and compliance, to avoid any potential risks, get in touch with Sophie Brazier in our commercial team at SophieBrazier@schofieldsweeney.co.uk.