In detail
- What if our use of cookies changes?
- What about cookies set on websites that we link to?
- What about cookies set on overseas websites?
- Can public authorities set cookies on their websites?
- What about other devices like mobiles, smart TVs, wearables, and the ‘Internet of Things’?
- What happens if we don’t comply?
What if our use of cookies changes?
If your cookie use changes significantly, then you will need to consider how this impacts on any consent that you have already gained.
For example, if you introduce a new cookie, or change the purposes of cookies already in use change after consent has been obtained, then your users will need to be made aware of these changes in order to allow them to make an informed choice about this new activity.
What about cookies set on websites that we link to?
Your online service may not be the only place where users and subscribers could have cookies set during their interactions with you.
For example, if you have a presence on social media platforms, then those platforms will set cookies on users’ devices once they visit your pages there, eg after they’ve navigated away from your website. These cookies can be used for different purposes depending on the platform, but common uses are to provide you with statistical information about how users interact with your social network presence.
Although you may not directly control the cookies that the platform sets, you do control the fact that you have a presence on that platform and you are also able to determine what types of statistics you want the platform to generate based on user interaction.
This means that you are jointly responsible, with the social media platform, for determining the purpose and means of the processing of personal data of any user that visits your presence on that network and are therefore a joint data controller for this activity with the platform.
This remains the case even if the network only provides you with anonymised or aggregated statistical information, as in order to generate that information the platform will process personal data, firstly by recording what visitors do and then by then anonymising that information.
You should be aware that not all of those accessing your social media presence from your website will necessarily be logged-in users of the social platform in question and therefore you need to ensure that they are provided with appropriate information before they visit.
So, you need to ensure that your own privacy notice on your website includes references to any social media presence that you may have, and how individuals are able to control the setting of any non-essential cookies once they visit there, even if these cannot be covered by your site’s consent mechanism.
You should also provide information about the processing of any personal data within your privacy notice as well as somewhere your page on the online platform, even if this is simply a link back to that privacy notice.
What about cookies set on overseas websites?
It is firstly important to note that if you are based in the UK you will be subject to the requirements of PECR even if your website is hosted overseas (eg, using cloud services based in the USA).
Although PECR does not have specific provisions regarding organisations operating outside the European Economic Area (EEA), where personal data is processed the UK GDPR applies. If your organisation is based outside Europe and you offer online services designed for the European market (eg that provide products or services to customers in Europe), you need to comply with the UK GDPR’s requirements in respect of the information you provide to users as well as when, and how, you obtain consent.
So, where personal data is involved, if the user is not provided with clear and comprehensive information about the use of cookies then they cannot be said to be appropriately informed about the processing of their personal data – which is part of the fundamental data protection principle about fair, lawful and transparent processing.
When assessing whether the UK GDPR’s territorial scope provisions apply to you, you should take account of:
- whether the processing relates to personal data of individuals in the EEA, and
- whether that processing also relates to the offering of goods and services or monitoring of behaviour.
Mere availability of a website to users within the EEA will not automatically be sufficient to bring that website in scope.
Example
An e-commerce website based outside the EEA offers users the ability to set up accounts and purchase products from any location in the world. Users can also list product prices in different currencies, including Pounds, Euros and other EEA currencies.
It is therefore clear that the products the site sells are intended to be offered to individuals within the EEA, and the site would be in scope of the UK GDPR.
Where the site uses cookies and similar technologies to process personal data, it would need to provide users in the UK and Europe with information about these cookies and comply with the rest of the UK GDPR.
A website may be available globally, and therefore accessible to individuals within the EEA, but this will not always mean it is specifically offering goods and services to those individuals. It will depend on the particular circumstances.
Example
An online news outlet based outside the EEA but accessible to individuals within the EEA may not be in scope of the UK GDPR, depending on its circumstances. The outlet may carry news reports relating to the EEA, but if this content is 'directed at' individuals within the outlet’s own country or territory, rather than individuals in the EEA, then it will not be in scope of the UK GDPR even if those individuals can access the news reports online.
However, if the outlet intends to have a 'global' reach then it obviously means to offer its service to anyone, including EEA individuals; it will therefore need to consider whether the UK GDPR’s territorial provisions apply to it, and the implications this has for providing cookie information and obtaining consent.
If you have a non-EEA website you can also take steps to demonstrate that you are not intending to offer goods and services to EEA individuals, for example:
- including specific references in your privacy information; or
- preventing EEA users from accessing your site, eg via IP address blocking.
The decision to undertake this activity is entirely down to you, but may provide an effective means of demonstrating that you do not intend to offer your service to individuals in the EEA.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
The EDPB has published Guidelines 03/2020 on territorial scope.
While these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, they may still provide helpful guidance.
Can public authorities set cookies on their websites?
The requirements to provide clear and comprehensive information and obtain consent apply for anyone using cookies, whether or not you are a public authority. So, if you are a public authority that runs an online service – such as your website – the cookie rules apply to you as well.
What about other devices like mobiles, smart TVs, wearables, and the ‘Internet of Things’?
In recent years, there has been ever-increasing usage of mobile devices such as smartphones and fitness bands, and internet-enabled appliances such as smart TVs and other so-called ‘Internet of Things’ devices such as home thermostats and connected vehicles. Generally, connected devices come under the definition of ‘terminal equipment’.
Web services, often called web application programming interfaces (APIs) are typically used by mobile devices and other hardware. Since these services can also store or access information on the user’s device just like any website, it is important to note that the cookie rules apply to all such devices where cookies or similar technologies are in use.
Here are some points to remember:
- A web API that sets cookies must comply with the cookie rules. In the field of mobile devices, this typically means that the mobile app accessing the web API is the obvious place to incorporate consent mechanisms, where applicable. It also means that users who access the web API using other means (eg a web browser) might not receive the same information and might need to be treated differently in order to avoid setting cookies without consent.
- In the same way that a website can make use of existing browser settings (as detailed in Regulation 6(3)(a) of PECR) to obtain consent, preference settings within a device’s operating system may mature into a consent mechanism for app and web app developers.
- The limited, and sometimes non-existent, physical interfaces on some internet-connected devices pose challenges when trying to inform users about cookies and their purposes. Without being able to display information as part of a website itself, you need to consider alternative methods of informing users. These might include clear instructions packaged along with the device, information provided during product registration, or use of a companion mobile app to provide an interface so that information can be communicated and consent gained.
What happens if we don’t comply?
The ICO’s aim is to ensure organisations comply with the law. In cases where organisations refuse or fail to comply voluntarily the ICO has a range of options available for taking formal action where this is necessary.
Although the GDPR gives the ICO enhanced powers, the enforcement regime for PECR remains that which was in effect under the 1998 Data Protection Act – except where personal data is processed.
Where formal action is considered, perhaps because an organisation refuses to take steps to comply or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, any use of formal regulatory powers would be considered in line with the factors set out in the published Regulatory Action Policy.
More guidance on the circumstances in which the Information Commissioner will use enforcement powers, including what is considered a ‘serious infringement’, can be found in the ICO's Regulatory Action Policy and associated guidance.
The Regulatory Action Policy makes clear that any formal action must be a proportionate response to the issue it seeks to address and that monetary penalties will be reserved for the most serious infringements of PECR.
The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action.
Further reading – ICO guidance