Online privacy: how to comply with the new law on cookies

The Privacy Electronic Communications (EC Directive) Regulations 2003 (“PECR”) governs the use of cookies in the UK.

Cookies are a useful and sometimes essential tool for any website provider.  PECR complements the GDPR and provides specific rules on cookies.  We have significant experience advising on compliance with PECR and GDPR, and ensuring that cookies are deployed and used in accordance with those rules.

What is a cookie?
The UK’s information commissioner’s office (the “ICO”) defines cookies as: “a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

Cookies have many potential uses including, identifying users, remembering a user’s custom preferences and helping users complete tasks without have to re-enter information when browsing from one page to another or when re-visiting the site.  Cookies can also be used for online behaviour target advertising and to show adverts relevant to something that the user searched for in the past.

What does your organisation need to do if it wants use cookies?  
Regulation 6 of PECR requires organisations to:

  • [provide] clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • [obtain] his or her consent.

This means that if you choose to use cookies, you will need prepare a document that provides key information about what cookies you are using (a “Cookies Policy”) and obtain users’ consent before dropping cookies.

Cookies Policy
As users’ awareness of what cookies are and their purpose is relatively low, Cookies Policies should include general information about what cookies are and the different types of cookie you use.  For example, a simple explanation of analytical cookies, notably that they are used to recognise and count the number of visitors to your website and provide information about how users move around your website.

This general, broader information should be complemented by a table which contains specific information about each of the cookies you use, so that more techy users have the information they need to make decisions about those cookies.

The ICO requires organisations to make the Cookies Policy easily identifiable. This increases the level of user awareness and ensures the validity of the consent.

The ICO has confirmed that the GDPR level of consent also applies to PECR.  Therefore, consent must be freely given, specific and informed.  It must involve some form of unambiguous positive action.  This includes ticking a box confirming that the user agrees to your organisation’s use of cookies.

In practice, this means that the website should deliver a consent solution in which no cookies are set to a user’s device before that user has signalled its wishes regarding those cookies.  This may cause difficulties for many organisations who are likely to set cookies as soon as a user accesses their website.

We are able to advise you on the most appropriate method of obtaining consent, overcoming these practical issues, without impeding user experience or diminishing the quality of your website.

There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The ICO interprets “strictly necessary” narrowly, and does not include cookies which may reasonably be seen as important but not essential.  Examples of the types of cookies that pass this test are:

  • cookies used to remember the goods a user wishes to buy when it add goods to its online basket or proceeds to the checkout on an internet shopping website, or
  • cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – e.g. online banking service

Upcoming developments in cookie law
The E-Privacy Directive, the EU law from which PECR is derived is being updated to the E-Privacy Regulation.

This E-Privacy Regulation will likely change how organisations are required to use cookies including how they obtain consent from users and the type of cookies that are exempt from these requirements.

For further information please contact Simon Halberstam (Partner – Head of Technology Law)