How do we comply with the cookie rules?
In detail
- Who is responsible for compliance?
- How do we plan and decide what type of cookies to use?
- How should we conduct a cookie audit?
- How do we tell people about cookies?
- What if children are likely to access our online service?
- How should we request consent in practice?
- Can we use message boxes and similar techniques?
- Can we rely on settings-led consent?
- Can we rely on feature-led consent?
- Can we rely on browser settings and other control mechanisms?
- Can we use ‘terms and conditions’ to gain consent for cookies?
- Can we use ‘cookie walls’?
- Can we pre-enable any non-essential cookies?
- What if we use third party cookies?
- Are analytics cookies exempt?
- How do the exemptions apply to different types of cookies?
- What if our users change their minds about cookies?
- How often should we get consent?
- How should we keep records of user preferences?
- How long should our cookies last?
Who is responsible for compliance?
PECR says that ‘a person’ shall not store, or gain access to information stored, on user devices. However, PECR does not define who should be responsible for complying with the requirement to provide information about cookies and obtain consent. The key point is not who obtains the consent but that you provide clear and comprehensive information and obtain valid consent.
Where you operate an online service and any use of cookies will be for your own purposes, it is clear that you will be responsible. The person setting the cookie is therefore primarily responsible for compliance with the requirements of PECR, although this is not necessarily the case where multiple parties are involved.
How do we plan and decide what type of cookies to use?
If you are planning a new online service, you should take steps to detail what cookies you will use, which are strictly necessary, and ensure that you have appropriate arrangements in place with any third parties.
For any pre-existing services, you should already know what types of cookies you use but it would be sensible to recheck. This might take the form of a comprehensive ‘cookie audit’ of your online service, or it could be as simple as checking what data will be sent to users and why.
How should we conduct a cookie audit?
When you conduct a cookie audit, you should:
- for cookies that are already present, identify those that are operating on or through your website, using a combination of browser-based tools and server-side code review;
- confirm the purpose(s) of each of the cookies you use (or intend to use);
- confirm whether cookies are linked to other information held about users – such as usernames – and whether your use of cookies also involves (or will involve) processing personal data;
- identify what data each cookie holds or otherwise processes;
- confirm the type of cookie – session or persistent;
- distinguish between which cookies are strictly necessary and which ones aren’t (and would therefore require clear and comprehensive information and consent);
- ensure that your consent mechanism enables users to control the setting of all non-essential cookies;
- determine the lifespans of any persistent cookies and whether these durations are justifiable for the stated purpose;
- determine whether each cookie is a first or third party cookie, and if it is a third party cookie who is setting it;
- double check that the privacy information provides accurate and clear information about each cookie;
- confirm what information you share with third parties, and what users are told about this; and
- document your findings and follow-up actions, and build in an appropriate review period.
If your service already uses cookies, you should look at this as opportunity to ‘clean up’ existing web pages and stop using cookies that are unnecessary or which have been superseded as your site has evolved.
Don’t just do this once. Your usage of any third party content is likely to change over time, so it is good practice to undertake regular reviews of your cookie usage, as well as any third party services your website includes that may set cookies.
Once you have completed the audit, the next consideration is the best methods for providing information and requesting consent.
How do we tell people about cookies?
To comply with the information requirements of PECR, you need to make sure users will see clear information about cookies. In any case, doing so will increase levels of user awareness and control, and also assist in gaining valid consent.
You also need to tell people about the purposes and duration of the cookies you use.
You need to provide information about cookies in such a way that the user will see it when they first visit your service. This is usually done within the cookie consent mechanism itself.
You should also provide more detailed information about cookies in a privacy or cookie policy accessed through a link within the consent mechanism and at the top or bottom of your website.
You should consider how the design of your online service impacts on the visibility of the link to your policy. For example, a link at the bottom of a concise webpage which has no content “below the fold” will be much more visible and accessible than a link in the footer of a dense webpage of 10,000 words. In this case a link in the header would be more appropriate.
Other ways of increasing the prominence of cookie information include:
- formatting – this might include changing the size of the link to the information or using a different font. The key is whether the link to this important information is distinguishable from “normal text” and other links;
- positioning – simply moving the link from the footer of the page to somewhere more likely to catch attention is an easy but effective thing to try; and
- wording – Making the hyperlink more than simply “privacy policy”; this could involve a link through some explanatory text (“Find out more about how our site works and how we put you in control.”)
You also need to ensure the information is clear so that your users understand it. Consider tailoring the language to your audience, and not using lengthy and overly complex terminology.
What if children are likely to access our online service?
The rules are no different if children access your online service. You will need to provide clear and comprehensive information about your use of cookies and ensure you have consent for any that are not strictly necessary.
However, if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.
More generally, if your online service is likely to be accessed by a child then you will also need to comply with the requirements of the ICO’s code of practice on age appropriate design.
Further reading – ICO guidance
How should we request consent in practice?
How you request consent for cookies will depend initially on what the cookies in use are doing and, to some extent, on the relationship you have with your users.
When considering how to provide information about cookies and how to request consent there are different techniques you can use to draw users’ attention to information and the choices available to them.
You may also find it helpful to look at the methods other online services already use.
You need to ensure that any consent mechanism you put in place allows users to have control over all the cookies your website sets, not just your own.
For example, if you want to set third-party content such as tracking pixels and beacons from social networks, you need to ensure that users are given information about these and appropriate controls to signify whether or not they consent.
In practice, this can be challenging as not all consent mechanisms presently enable users to disable cookies from third parties directly. However, designing and implementing a consent mechanism that works only for some of the cookies would not be compliant with PECR, as the user is not provided with any control over these cookies – they must visit different websites and take different actions to disable them.
Ultimately, you are the one who determines what cookies are set on your website, and in particular the number and type of third-party cookies involved. One of the considerations before incorporating a third-party cookie should therefore be whether your consent mechanism allows the user to control whether the cookie is set or not.
Can we use message boxes and similar techniques?
Message boxes such as banners, pop-ups, message bars, header bars or similar techniques might initially seem an easy option for you to achieve compliance.
However, you need to consider their implementation carefully, particularly in respect of the implications for the user experience. For example, a message box designed for display on a desktop or laptop web browser can be hard for the user to read or interact with when using a mobile device, meaning that the consents you obtain would be invalid. Similarly, long lists of checkboxes might seem like a way to make your consent mechanism appropriately granular, but this approach carries different risks in that your users may simply not interact with the mechanism or may not understand the information you’re providing.
At the same time, Recital 32 of the UK GDPR is clear that electronic consent requests must not be unnecessarily disruptive – so you need to consider how you go about providing clear and comprehensive information without confusing users or disrupting their experience. However, this does not override the need to ensure that consent requests are valid – so some level of disruption may be necessary.
Consent can still be sought in this way provided it makes the position absolutely clear to users. Many websites routinely use pop-ups or 'splash pages' to make users aware of changes to the site or to ask for their feedback. Similar techniques could be a useful way of highlighting the use of cookies and consent.
There are challenges with using these techniques. If users do not click on any of the options available and go straight through to another part of your site, and you go ahead and set non-essential cookies on their devices, this would not be valid consent. This is because users who fail to engage with the consent box cannot be said to consent to the setting of these cookies.
Can we rely on settings-led consent?
Some cookies are deployed when a user makes a choice over a site’s settings. In these cases, consent could be sought as part of the process by which the user confirms what they want to do, or how they want the site to work.
For example, some websites 'remember' which version a user wants to access, such as a version of a site in a particular language, or what font size to use. These cookies are sometimes known as ‘preference cookies’ or ‘user interface’ cookies. If this feature is enabled by the storage of a cookie, then this should be explained to the user, meaning they needn't be asked every time they visit the site. You can explain to them that by allowing their choice to be remembered they are giving consent to set the cookie. Agreement for the cookie could therefore be seamlessly integrated with the choice the user is already making.
This would apply to any feature where the user is told that a website can remember settings they have chosen. It might be the size of the text they want to have displayed, the colour scheme they like or even the 'personalised greeting' they see each time they visit the site.
You must however take care that any processing of personal data related to the setting of preference cookies or other personalisation features is limited to what is necessary for this purpose.
Can we rely on feature-led consent?
Your site could include video clips or remember what users have done on previous visits in order to personalise the content they are service. Some cookies would then be stored if the user chooses a particular feature of your site.
However, you still need to provide clear and comprehensive information and obtain consent.
Where the feature is provided by a third party, users will need to be made aware of this, and be given information on how the third party uses cookies and similar technologies so that the user is able to make an informed choice.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
The EDPB has published Guidelines 05/2020 on consent.
While these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, they may still provide helpful guidance.
Can we rely on browser settings and other control mechanisms?
You cannot assume that each visitor to your online service can configure their browser settings to correctly reflect their preferences in relation to the setting of cookies.
PECR suggests that browser settings may be one means of obtaining consent if they can be used in a way that allows the subscriber to indicate their agreement to cookies being set. Regulation 6(3)(a) states:
‘consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or program to signify consent.’
This is where the user or subscriber sets up their browser so that only certain cookies are allowed.
Example
A user visits a website that can identify that their browser is set up to allow cookies of types A, B and C but not of type D.
As a result the website owner can be confident that in setting cookies A, B and C they have the user’s consent to do so. They would not set cookie D.
For consent to be clearly signified it would need to be clear that users and subscribers had been prompted to consider their current browser settings. This would require evidence of either a positive action that the subscriber was happy with the default, or otherwise made a decision to change the settings.
Browsers may also include other features such as tracking protection options. Depending on the browser, these may be either enabled by default or require the user to configure them. There is also a range of browser extensions and add-ons for various web browsers that users can install to further manage their cookie preferences.
However, you should be aware that not everyone accessing websites will do so with the same version or type of browser, or even use a traditional web browser at all. This is particularly important when considering web browsers and apps on other devices such as smartphones, tablets, smart TVs, wearable technology or other 'Internet of Things' devices.
In future you may well be able to rely on the user’s browser settings as part, or all, of the mechanism for satisfying yourself that you have consent to set cookies. For now, relying solely on browser settings will not be sufficient. Even when browser options are improved it is likely not all users will have the most up-to-date browser with the enhanced privacy settings needed for the settings to constitute an indication of consent.
Can we use ‘terms and conditions’ to gain consent for cookies?
No. Consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices. The key point is that you should be upfront with your users about your use of cookies. You should obtain consent by giving the user specific separate information about what they are being asked to agree to and providing them with a way to accept by means of a positive action to opt-in.
Any attempt to gain consent that is bundled in terms and conditions will not be compliant.
Can we use ‘cookie walls’?
A cookie wall – sometimes called a ‘tracking wall’ – requires users to ‘agree’ or ‘accept’ the setting of cookies before they can access an online service’s content. This is also known as the ‘take it or leave it approach’.
In some circumstances, this approach is inappropriate; for example, where the user or subscriber has no genuine choice but to sign up. This is because the UK GDPR says that consent must be freely given.
Further, Recital 43 of the UK GDPR states that:
‘Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.’
The ePrivacy Directive refers to conditional access to website content in Recital 25. This is sometimes used to justify using a cookie wall. It states:
‘Access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.’
However, when considering Recital 25, you should note that:
- ‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent; and
- the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.
If your use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by you or any third parties as a condition of accessing your service, then it is unlikely that user consent is considered valid.
However, it should be noted that not all cookie tracking is necessarily intrusive or high risk. Furthermore, the UK GDPR is clear that the right to the protection of personal data:
- is not absolute;
- should be considered in relation to its function in society; and
- must be balanced against other fundamental rights, including freedom of expression and the freedom to conduct a business.
The key is that individuals are provided with a genuine free choice; consent should not be bundled up as a condition of the service unless it is necessary for that service.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
For information about the meaning of Recital 25, read WP29’s Working Document on cookie consent from 2013.
While these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, they may still provide helpful guidance.
Can we pre-enable any non-essential cookies?
No. Just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, is not a valid reason to pre-enable it. Enabling a non-essential cookie without the user taking a positive action before it is set on their device does not represent valid consent. By doing this, you are taking the choice away from the user.
Example
A website sets non-essential cookies on its landing page. Its cookie consent mechanism includes wording such as ‘By continuing to use our website, you consent to our use of cookies’.
This does not represent valid consent, even if the mechanism also includes an ‘OK’ or ‘Accept’ button.
This is because the website has decided non-essential cookies will be set, and is then seeking the user’s agreement afterwards – but is only providing the user with an option to ‘continue’ rather than a genuine free choice about whether they want to accept or reject the cookies.
Depending on the circumstances, particularly the design of your consent mechanism and the wording you use in the information you provide, it is also likely that predetermining non-essential cookies could be considered as ‘nudge behaviour’ – ie, you are influencing the user to take a particular course of action.
Example
A consent mechanism that emphasises ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option.
A consent mechanism that doesn’t allow a user to make a choice would also be non-compliant, even where the controls are located in a ‘more information’ section.
Where your online service must also comply with the ICO’s code of practice on age-appropriate design – ie because it is likely to be accessed by a child – ‘nudge behaviour’ cannot be used.
At all times, the key is that you ensure you provide clear and comprehensive information to the user, and have an appropriate consent mechanism that meets the requirements of the UK GDPR.
Ultimately, users may be more likely to give their consent to non-essential cookies where they fully understand:
- what you use cookies for;
- how you have gone about seeking their consent;
- how you (and any third party) intends to use their data; and
- that you have provided them with appropriate control over their preferences.
This can also be a means of enhancing trust and confidence in your online service.
What if we use third-party cookies?
Your online service may allow third parties to set cookies on a user’s device. For example, if you include content from a third party (eg from an advertising network or a streaming video service) this third party may read and write their own cookies onto users’ devices.
Where your website sets third-party cookies, both you and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice, it is obviously considerably more difficult for a third party who has less direct control on the interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – in this case you, as the company running the website. It is therefore in both parties’ interests to work together.
If you are a third party wanting to set cookies, or you want to provide a product that requires the setting of cookies, you should include a contractual obligation into your agreements with web publishers. This can provide assurance that appropriate steps will be taken to provide information about the third party cookies and to obtain consent. However, you may need to take further steps, such as ensuring that the consents were validly obtained.
If you design and develop websites or similar technologies for other people you must also carefully consider the requirements of PECR and make sure the systems you design allow your clients to comply with the law. You must also ensure that when you design and develop new online services, or upgrade software, that you take into account both the requirements in PECR and broader data protection requirements, particularly in respect of Article 25 of the UK GDPR on data protection by design.
This is an approach whereby privacy and data protection compliance is designed into systems and services right from the start, rather than being bolted on afterwards or ignored.
Further reading – ICO guidance
Obviously, the process of getting consent for third-party cookies is more complex and everyone has a part to play in making sure that the user is aware of what is being collected and by whom.
However, if your online service allows or uses third-party cookies you still have to ensure you provide appropriate information to users and that you are allowing them to consent to what is stored on their device.
This is one of the most challenging areas in which to achieve compliance with PECR. The ICO continues to work with industry and other regulators to assist in addressing the difficulties and finding workable solutions.
Are analytics cookies exempt?
No. It is important to note that PECR does not distinguish between cookies used for analytics activities and those used for other purposes. Analytics cookies do not fall within the ‘strictly necessary’ exemption. This means you need to tell people about analytics cookies and gain consent for their use.
Analytics cookies are used so online services can collect information about how people access them – for example, the number of users on a website, how long they stay on the site for, and what parts of the site they visit. This is also sometimes known as ‘web audience measurement’. This work is often done ‘in the background’.
Whilst analytics can provide useful information for you, they are not part of the functionality that the user requests when they use your online service – if you didn’t have analytics running the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and do require consent.
There are two types of analytics cookies: first-party and third-party. Consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices. You need to consider how you will explain your policies to users and make that information more prominent.
A number of services exist that provide an analytics function, and it could be easier for you to use these instead of building your own. However, it can be more difficult to obtain consent for third-party analytics cookies as there is no direct relationship between the third-party organisation and the user of your site. In these cases you need to ensure the information you provide to users about these cookies is absolutely clear and is highlighted in a prominent place – for example you can’t just include it through a general privacy policy link.
If personal data is also processed through your use of a third-party analytics service, you need to take account of data protection requirements.
You should put measures in place to highlight the use of analytics cookies and to obtain agreement to set these cookies.
If the information collected about website use is passed to a third party this should be made absolutely clear to your users. It should also be clear what this third party does with this information. Depending on the specifics of your service, you may also offer users the ability to alter the settings of their account to limit the sharing of their information with third parties, including the analytics provider. (The analytics service may also provide this functionality, and you should consider enabling it where appropriate to do so.) In any case, the controls provided to the user should be prominently displayed and not hidden away.
Ultimately, you have to provide clear information to users about analytics cookies and to take steps to seek their consent. This is likely to involve making the argument to show users why these cookies are useful to them – but you must ensure if you do this you aren’t leading the user to one option over another.
Although the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals. However you should also note that where you use first-party analytics cookies provided by a third party, this is not necessarily going to be the case.
Further reading – ICO guidance
Read the section on ‘What happens if we don’t comply?’ for more information.
How do the exemptions apply to different types of cookies?
The exemptions in PECR relate to the purpose for which you store information, or gain access to information stored, on user devices. You are required to be clear with your users about these purposes when providing information and requesting consent, and if you have undertaken a cookie audit you should already know what these purposes are.
This section is not intended to provide an exhaustive list of how PECR’s exemptions work for all types of cookies. It is an indicative list based on a number of common purposes that you may use cookies for.
Activity | Likely to meet an exemption? | |
User input | ✓ |
Yes, depending on purpose limitation. If your online service uses a session cookie to track user input for specific functions of your service (eg a shopping basket or completing a form), then you can rely on the strictly necessary exemption provided that the cookie is only used for this purpose. This may not apply if the cookie is persistent. |
Authentication | ✓ |
Yes, depending on purpose limitation. If you use first-party session cookies for authentication purposes, you can rely on the strictly necessary exemption provided they are only used for this purpose. However, persistent login cookies are not exempt (as the user may not remember that they are logged in on a subsequent visit) and therefore consent is required in these cases. |
Security | ✓ |
Yes, depending on purpose limitation. First-party cookies used for security purposes can rely on the strictly necessary exemption; for example, cookies used to detect repeated failed login attempts. They can also have a longer duration than a session cookie. However, cookies that relate to the security of other online services besides your own require consent. This is because the functionality the user has requested relates to your service, not those of any others. If you use device fingerprinting techniques for a specific security purpose then you can also rely on the strictly necessary exemption. However, as with cookies, if the information is processed for secondary purposes - such as those relating to the security of online services the user has not requested - consent is required. This also applies where the information is processed for the purposes of fraud prevention, particularly in cases where multiple online services use a single fraud prevention service which processes information from visitors of all of those services. |
Streaming content | ✓ |
Yes, depending on purpose limitation. If your service is an online content provider that uses streaming media, then you can rely on the strictly necessary exemption for cookies that relate to the video or audio. This is because the streaming media forms part of the service that the user has requested. However, the exemption does not extend to cases where the cookie processes information that is not strictly necessary for the purposes of the streaming functionality, such as personalisation or usage monitoring. Additionally, where an online service merely includes streaming content hosted by a third-party online content provider (eg, where a website embeds YouTube videos, even those from its own YouTube channel), the exemption may not apply. If this applies to you, you will need to consider the circumstances carefully. |
Network management | ✓ |
Yes, depending on purpose limitation. If you use session cookies for load balancing purposes, you can rely on the communication exemption. This applies only where the cookies are for the sole purpose of identifying which server in the pool the communication will be directed to. Where you use device fingerprinting techniques for network management, you could also rely on the communication exemption provided that the use is solely for this purpose. |
User preference | ✓ |
Yes, depending on purpose limitation. Session cookies used to store a user's preference can rely on the strictly necessary exemption, provided they are not linked to a persistent identifier. The exemption may in some cases also apply to persistent cookies but the user must be given sufficient information in a prominent location - for example, cookies used as part of a cookie consent mechanism, which remember the user's cookie preferences over a period of time (eg 90 days), can be exempt. Alternatively, the act of interacting with the consent mechanism can be sufficient for consent to be obtained for any cookies relating to that mechanism, provided the user is given clear and comprehensive information as to the fact that a persistent cookie will be set on their device for the purpose of remembering their cookie consent preference. Where device fingerprinting techniques process information to optimise the site layout - such as where an online service uses responsive design, so that the site changes depending on the type of device - the strictly necessary exemption can apply. This would also apply to any third party services that are incorporated. However, the information accessed must be used solely for this purpose. Any secondary purposes mean the exemption would not apply and consent is required. |
Social media plugins | x |
Consent required. Where a user of your online service is also logged in to a social media platform, and your service includes plugins and other tools provided by that platform, they might expect to be able to use these plugins as part of their interaction with the social network. In such cases, the cookies that the plugins set on your service could be seen as strictly necessary for the functionality the user has requested. However, this would not apply to non-logged in users of that social media platform – be these users who have logged out, or users that are not members of that network. Consent is therefore required for any cookies that the social plugins set. Unless the plugins are configured only to set cookies on devices used by logged-in members of the social media platform, consent is likely to be required in all circumstances as you cannot assume that all of your visitors will also be members of whichever social networks you link to. |
Social media tracking | x |
Consent required. Where a social media plugin or other technology tracks users, be they members or non-members of that particular platform, for other purposes (including but not limited to online advertising, behavioural monitoring, analytics, or market research) the strictly necessary exemption would not apply. Any use of web beacons, tracking pixels, JavaScript code or similar technologies from a social media platform or any other third party is not exempt from the consent requirements. Additionally, there is no applicable lawful basis other than consent for social media platforms to process information about non-members of their networks through these technologies. |
Online advertising | x |
Consent required. If your service includes cookies used for the purposes of online advertising, you cannot rely on the strictly necessary exemption. Online advertising cookies are not exempt from PECR's consent requirements and never have been. This includes all third-party cookies used in online advertising, including for purposes such as frequency capping, ad affiliation, click fraud detection, market research, product improvement, debugging and any other purpose. Use of device fingerprinting techniques from advertising networks is also not exempt from the consent requirements. You should also note that your users are often unaware that this processing is taking place and that it involves creating profiles of users across different services over time to serve targeted advertising. |
Cross-device tracking | x |
Consent required. Where you use cookies or device fingerprinting techniques to link a user's account with a particular device or devices (eg, as part of the account profile, to provide a second authentication factor or to track users across multiple devices for any purpose – including advertising), consent is required. This is because this purpose is not strictly necessary to provide the functionality the user requests. |
Analytics | x |
Consent required. You are likely to view analytics as ‘strictly necessary’ because of the information they provide about how visitors engage with your service. However, you cannot use the strictly necessary exemption for these. Consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not. If you use device fingerprinting for analytics instead of or alongside cookies, you should note that doing so is not exempt from the consent requirements either. |
What if our users change their minds about cookies?
Once consent has been obtained, users or subscribers are able to withdraw that consent at any time. You should therefore ensure that your consent mechanism has the technical capability to allow users to withdraw their consent with the same ease that they gave it, otherwise it will not be compliant with the UK GDPR’s consent requirements.
You must also provide information about how consent can be withdrawn, and how cookies that have already been set can be removed, eg in your consent mechanism or within your privacy or cookie policies.
The consequences of withdrawing that consent could be made clear, for example, by explaining the impact on the functionality of the website.
How often should we get consent?
You should ensure that any first time visitors to your website are provided with clear information about the cookies you use and are given choices and controls about any non-essential ones.
There are a range of reasons why you may need visitors to ‘reconsent’ to cookie settings. However, depending on the circumstances you may not need to ask for fresh consent each time someone visits. A number of factors will be involved, such as frequency of visits or updates of content or functionality.
An example of where you need to obtain fresh consent is when you are setting non-essential cookies from a new third party. This is because the consent that the user previously gave would apply only to those parties that you specified at the original time. When your service sets cookies from a new third party, you would need to ensure that users consent to this.
Importantly, the clear and comprehensive information you provide in your consent request should not include ambiguous or unclear references to ‘partners’ or ‘third parties’. This would mean that the consent is invalid, as it is not specific and therefore the user is not fully informed.
How should we keep records of user preferences?
Some users will visit your website regularly and others will visit rarely, with a spectrum of others in between.
You therefore need to decide an appropriate interval between when you require users to select their preference (whether that is consent or rejection), and also decide when that preference expires (after which point users are given the option again).
At the same time, PECR isn’t intended to inconvenience or unduly disrupt the experience of your users. You are not expected to repeatedly require your users to specify their preference as a matter of course, whether that results in consent for non-essential cookies or refusal.
These are issues that you will need to determine as the service provider.
Example
A website decides to use a cookie consent mechanism that enables the user to consent, or to reject, non-essential cookies. When users consent to the setting of these cookies, the website records this preference in its own persistent cookie, which is stored on the users’ devices and set to expire at a certain point in the future.
Provided the user visits again before the expiration date, they won’t need to ‘reconsent’ to the cookies, because the site’s preference cookie recognises that they consented previously. On the other hand, if the user visits infrequently then the cookie may expire before their next visit – meaning that they would need to consent again in the future.
The exact interval for the expiration a persistent cookie is a matter for you to consider, in relation to the circumstances of your online service and what you are seeking user consent for.
Additionally, if you use a third party consent mechanism and this records consents in digital form, you will need to ensure that this data is appropriately protected (and, if personal data is involved, that you have also considered any obligations under the UK GDPR – such as whether the third party is a processor or joint controller).
You should note that many ‘off-the-shelf’ consent mechanisms that use preference cookies may default to a certain expiration period, such as 90 days or so. Whilst using the default may be the simplest option you should nevertheless take the time to determine whether this interval is appropriate for you, and then document your conclusions.
Our guidance on consent gives more specifics about how you should go about recording consent, and how you should go about determining how long you should retain those records for.
Further reading – ICO guidance
How long should our cookies last?
This will depend on the purpose of the cookie. However, it is important that you consider cookie duration because this can affect the application of the exemptions in Regulation 6(4).
This also depends on the purpose you use the cookie for – so it is difficult to provide comprehensive guidance for each possible type of cookie. Ultimately, you need to ensure that your use of the cookie is:
- proportionate in relation to your intended outcome; and
- limited to what is necessary to achieve your purpose.
This is likely to lead you towards a determination of the duration.
Example
An online service features user accounts on its website. To ensure that users are who they say they are, the online service uses an authentication cookie to recognise the user.
Once the user has logged out of the service (or closed their browser), the cookie is no longer required and is therefore deleted once this takes place.
In this case there is no reason for the cookie to be persistent.
If you are incorporating tools into your online service that involve cookies, you should check whether these have a default duration. This may be appropriate in relation to the purpose of the cookie, but you should still assess this and change it if appropriate.
As a general rule, the exemptions in PECR are more likely to apply to session cookies – those that last until the user has closed their browser, or just slightly afterwards. This isn’t always the case, however.
There are some clear cases where the duration of a cookie is wholly disproportionate. For example, whilst it may be technically possible to set the duration of a cookie to “31/12/9999” this would not be regarded as proportionate in any circumstances.