In detail
What is the relationship between PECR and the UK GDPR?
PECR sits alongside the Data Protection Act 2018 (DPA) and the UK GDPR, and provides specific rules in relation to privacy and electronic communications. Where these rules apply, they take precedence over the DPA and the UK GDPR. This is important, because if you are setting cookies you need to consider PECR compliance first before you look to the UK GDPR.
Additionally, PECR depends on data protection law for some of its definitions. For example, as the previous section states, PECR takes the UK GDPR’s standard of consent. The UK GDPR also talks about cookies within the definition of personal data.
Essentially, if you are operating an online service, then the easiest way to look at the two laws is:
- if your online service stores information, or accesses information stored, on user devices then you should ensure that comply with PECR first, including the requirements to provide information and obtain consent; and
- the UK GDPR applies to any processing of personal data outside of this storage or access.
Regulation 4 of PECR is also clear about the relationship with data protection law:
‘Nothing in these Regulations shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data.’
Although PECR does not just apply where personal data is being processed, activities involving the processing of personal data generally have greater privacy and security implications.
Where the setting of a cookie does involve the processing of personal data, you will also need to make sure you comply with the additional requirements of the UK GDPR.
What does the UK GDPR say about cookies?
The UK GDPR classes cookie identifiers as a type of ‘online identifier’, meaning that in certain circumstances these will be personal data. For example, a user authentication cookie would involve processing of personal data, as it is used to enable the user to log in to their account at an online service.
Article 4(1) of the UK GDPR defines personal data as:
‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
Recital 30 provides further information on the term ‘online identifier’:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
It is important to note that cookies may not always be classed as personal data. However, PECR applies whether or not the storage of or access to information on user devices involves processing personal data.
‘Online identifiers’ can also include (but are not limited to) things like:
- MAC addresses;
- advertising IDs;
- pixel tags;
- account handles; and
- device fingerprints.
The use of these could leave traces which, when combined with unique identifiers and other information, could be used to create profiles of individuals and identify them.
When assessing if an individual is identifiable, you must consider whether online identifiers, on their own or in combination with other information that may be available to those processing the data, may be used to distinguish one user from another.
For example, this is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. This may be either as a named individual or simply as a unique user of electronic communications and other internet services who may be distinguished from other users.
You should be aware that whilst a single information element may not be personal data on its own, the combination of multiple elements makes it more likely that the information will constitute personal data. This is particularly the case when the information enables you to single out, make inferences or take specific actions in relation to users (such as identifying them over time or across multiple devices and websites, even if you don't know the name of those users). Where this is the case, your processing must comply with the UK GDPR.
When considering alternatives to cookies it is also important to look at the broader privacy context. Even where the cookie rules do not apply, you may need to comply with the GDPR. For example, if information is collected that builds up a picture allowing an individual to be identified, those individuals need to be told what information is being collected, as well as how and why.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the of the EU version of the GDPR.
In 2014, WP29 produced guidance on device fingerprinting and the ePrivacy Directive in Opinion 9/2014. This provides more information about how PECR applies in this context, and also outlines the data protection risks related to device fingerprinting. This guidance remains applicable as it relates to the ePrivacy Directive.
How does cookie consent fit with the lawful basis requirements of the UK GDPR?
To process personal data, you must have a lawful basis. The UK GDPR has six lawful bases, of which one is consent. No lawful basis is more important than the other – the appropriate one depends on the specifics of your processing.
However, PECR requirements are separate from, and different to, those of the UK GDPR. Guidance produced by European data protection authorities on how the ePrivacy Directive relates to the UK GDPR clarifies that, if consent is required under the cookie rules:
"the controller cannot rely on the full range of possible lawful grounds provided by article 6 of the UK GDPR".
The simplest way to understand it is that if your cookies require consent under PECR, then you cannot use one of the alternative lawful bases from the GDPR to set them. If you’re setting cookies, this is why you need to look to PECR first and comply with its specific rules, before considering any of the general rules in the UK GDPR.
If the cookies you set aren’t exempt from Regulation 6, then you can only use consent – and this must be of the UK GDPR standard. This is also the case whether or not personal data is involved. If you have obtained consent in compliance with PECR, then in practice consent is also the most appropriate lawful basis under the UK GDPR. Trying to apply another lawful basis such as legitimate interests when you already have UK GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.
If your cookie meets one of the exemptions, then the requirement to have consent to set it doesn’t apply – essentially, the technical process of storing or accessing information on the device falls out of PECR and, where personal data is involved, the UK GDPR then applies.
Figure 1 below demonstrates where consent applies for cookies.
Use our tool to determine where consent applies for your use of cookies.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
The EDPB has published ‘Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR’.
While this Opinion is no longer directly relevant to the UK regime and is not binding under the UK regime, it may still provide helpful guidance about how the cookie rules relate to the EU GDPR.
Do the rules apply to the processing of personal data gained via cookies?
PECR has rules for the storing of information, or accessing information stored, on user devices. It does not contain any specific rule for prior or subsequent processing operations involving this information.
So, where personal data is involved, it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies. However, you, will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing that data with third parties.
You should also be aware that European data protection authorities, including the ICO, have previously stated that, in certain cases the processing of personal data that follows (or depends on) the setting of cookies is highly likely to require consent as its lawful basis.
This is not just because the personal data originates by the use of cookies (and therefore consent is required under PECR) but is also because of the nature, scope, context and purpose(s) of the processing operations themselves mean that users must be informed, and agree, to the processing prior to it taking place in order to ensure that it is fair.
Analysing or predicting preferences or behaviour
Where personal data obtained via the use of cookies and similar technologies is used for purposes such as analysing or predicting the personal preferences, behaviour and attitudes of individuals, with this subsequently informing measures or decisions taken about them consent is likely to be required otherwise this further use cannot be considered compatible.
Example
Tracking and profiling for direct marketing and advertising
For similar reasons, consent would be required for processing like tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research due to the nature of the processing operations and the risks posed to individuals.
The fact that consent is also required under PECR means that in most circumstances, legitimate interests is not considered to be an appropriate lawful basis for the processing of personal data in connection with profiling and targeted advertising.
Consent will be required under PECR for the use of cookies in these circumstances, and in practice, consent is therefore the most applicable lawful basis for any subsequent processing of personal data for the purposes described.
Further reading - European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
The EDPB has published ‘Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR’. This provides useful information about how the cookie rules relate to the EU GDPR and re-states the positions previously taken by WP29 about when consent should be required for certain processing operations beyond the setting of cookies.
WP29 previously published 'Opinion 3/2013 on purpose limitation’ and 'Opinion 6/2014 on the notion of legitimate interests’. Although this guidance was produced under the previous data protection framework, much of it applies under the EU GDPR.
While these Opinions are no longer directly relevant to the UK regime and are not binding under the UK regime, they still provide helpful guidance on these issues.
What about the proposed ePrivacy Regulation?
The ePrivacy Regulation (ePR) is a piece of European legislation that is currently under development. When finalised, it will replace the ePrivacy Directive on which PECR is based. It intends to provide updated and modernised rules for privacy and electronic communications.
However, we cannot provide any specific guidance on what the ePR may contain in the future.
You should however note that irrespective of the development of the ePR, PECR continues to apply in full, alongside the UK GDPR.