Skip to main content
Home

How do we comply with the rules?

Download options

Contents

At a glance

  • You must consider storage or access technologies as part of the design and implementation of your service and business practices.
  • You must have appropriate arrangements in place with any third parties you are using to provide your service.
  • You must provide clear and comprehensive information about the non-essential storage and access technologies you use on your online service.
  • You must explain your storage and access technologies in a way that anyone visiting your service can understand.
  • There is no valid reason to pre-enable non-essential storage and access technologies.
  • PECR does not specify how long you can use any storage and access technologies for. You should consider the appropriate duration in relation to the circumstances of your online service and for the purpose for which you want to use the technology.
  • You should undertake regular reviews of your online service, as well as any storage and access technologies it includes.

In detail

Who is responsible for compliance?

PECR says that ‘a person’ must not store, or gain access to information stored, on a subscriber or user’s equipment, unless clear and comprehensive information is provided and consent is obtained.

In most cases, this means that as the service provider, you have the primary responsibility for compliance with PECR. For example, you are the person that makes decisions about:

  • what the service is;
  • what functions the service will have; and
  • what storage and access technologies to use (and for what purposes), including whether your service incorporates third-party features or if you enable third-party storage and access technologies.

How do we consider PECR when designing a new online service?

If you are planning a new online service, you must put appropriate technical and organisational measures in place to implement data protection principles and safeguard individual rights, from the design stage right through the lifecycle of your service.

Under PECR, you must consider storage or access technologies as part of the design and implementation of your service and business practices. This includes:

  • what storage and access technologies you want to use;
  • which ones meet an exemption (and why); and
  • which ones require consent.

If you use third parties in the provision of your service, you must have appropriate arrangements in place. For example, if you plan to share any information with them or will have their features embedded in your website or service.

Following a data protection by design approach is particularly important if you intend to provide your service via a mobile app. This is because:

  • mobile devices such as smartphones and tablets are likely to have direct access to different sensors and data. For example, the microphone, camera and GPS receiver or wide-ranging personal information like the user’s email accounts and contacts;
  • users are likely to have a range of apps downloaded on their device for many different functions, which can involve sharing personal data (including sensitive data). For example, medical or fitness apps, social media apps and banking; 
  • app developers often make use of third-party SDKs for different purposes. These can introduce new and complex flows of information from the user’s device when using the app, including use by third parties, which may not be obvious from the user interface; and
  • mobile devices often have small screens, typically with touch-based interfaces. This can make it more challenging for apps to effectively communicate privacy information with app users (and obtain consent where required).

Similar considerations apply to connected IoT devices.

What do we need to consider if we use someone else’s technologies on our online service?

Other organisations provide a range of storage and access technologies. Your organisation might decide to deploy these on your service rather than trying to develop your own. For example:

  • to provide a specific element, function or feature to your service (eg streaming content);
  • to secure your service and protect your users (eg security and authentication);
  • to help you generate revenue (eg through advertising technology); or
  • to enable your users to interact with other services or platforms (eg social media).

As the online service provider, it is your responsibility to understand the technologies you intend to use and ensure you comply with PECR.

Where your use of these technologies involves the processing of personal data, you must also consider the UK GDPR. For example by:

  • being clear about which other organisations may be involved in the processing;
  • allocating appropriate roles and responsibilities between you and these organisations (eg controllers, processors or joint controllers);
  • identifying and mitigate risks to people’s rights and freedoms; and
  • ensuring that mechanisms are in place to facilitate individual rights between all parties involved and appropriate actions are taken (eg informing another organisation relying on consent you obtained from a user that they have since withdrawn that consent).

Depending on the circumstances, these other organisations may have their own responsibilities under the UK GDPR. Our data sharing code contains further information on their responsibilities.

 

How do we tell people about the storage and access technologies we use?

When you request consent, you must provide clear and comprehensive information about the non-essential storage and access technologies you use on your online service.

This information must cover:

  • the storage and access technologies you intend to use;
  • the purposes for which you intend to use them;
  • any third parties who store or access information in the user’s device, or process information stored in, or accessed from, the user’s device, including the purposes for which they will be used; and
  • the duration for which any information will be stored for, or access to information granted for, such as the duration of cookies.

Providing this is part of fulfilling your transparency requirements under data protection law.

You must also explain your storage and access technologies in a way that anyone visiting your service can understand. In particular, this information must be:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and 
  • uses clear and plain language.

Your methods of providing this information should be as user-friendly as possible.

You must:

  • tailor the language to your audience;
  • avoid complex or lengthy terminology; and
  • ensure that your subscribers and users understand the information you provide.

The information you provide must not include ambiguous or unclear references to ‘partners’ or ‘third parties.’

You must consider how the design of your online service impacts on the visibility of the link to your information. For example, a link at the bottom of a concise webpage which has no content “below the fold” will be much more visible and accessible than a link in the footer of a dense webpage of 10,000 words. In this case, a link in the header would be more appropriate.

Our UK GDPR guidance on “the right to be informed” outlines methods you can use to provide privacy information.

Equally, the type of device used to access your service will impact how you inform users about storage and access technologies. The limited, and sometimes non-existent, physical interfaces on some connected devices can make it challenging to provide the right information. You could consider alternative methods of informing users, such as:

  • including clear, simple-to-follow informational materials along with the device;
  • ensuring the setup process for the device includes the necessary information and controls;
  • if the device uses a companion mobile app, surfacing the information during its installation process; or
  • providing privacy dashboards in any associated online account.

How do we tell people about storage and access technologies set on websites that we link to?

For example, if you have a presence on a social media network, you are likely to include a link to it somewhere on your service. When someone clicks this link, they will be taken to your page on the network.  

The operator of the social media network is itself providing an online service that uses storage and access technologies. It may use these for its own purposes, or for purposes that both you and it jointly decide.

Although you may not directly control the storage and access technologies set by the platform, you do decide whether or not to:

  • have a presence on the network in the first place;
  • include links to the network in your service, the specific tracking tools the network provides, or both if appropriate; and
  • use the network’s targeting tools and techniques to reach your users when they visit the platform.

Any use of the tools and techniques of these networks for targeting purposes involves personal data processing. This means that if you decide to use them, then both you and the platform are jointly responsible for determining the purpose and means of this processing of personal data.

Your privacy information should include references to any social media presence that you may have, and state that the platform may use storage and access technologies once they visit there, even though these cannot be covered by your service’s own consent mechanism.

You should consider that not everyone who accesses your social media presence via your website will be logged-in users of the social media platform in question. There is no applicable lawful basis other than consent for social media platforms to process information about non-members of their networks through these technologies.

You should provide information about the processing of any personal data within your privacy notice as well as somewhere on your page on the online platform, even if this is simply a link back to that privacy notice.

Example

A website includes a social media plugin. When a visitor to the website uses the plugin, data is collected and transmitted to the social media provider.

The website operator and social media site are joint controllers for the collection and disclosure by transmission of the visitor’s data to the social media provider.

The website operator must:

  • provide the visitor with the identity of the social media provider
  • explain the purpose of the processing; and
  • obtain consent.

If you have links on your site to other external services which do not relate to your online service (for example, useful references or resources related to the content of your website), you could provide links to their privacy information, or make it clear to your users that you are not responsible for the use of storage and access technologies on that site. 

Can we pre-enable any non-essential storage and access technologies?

No. There is no valid reason to pre-enable non-essential storage and access technologies. This is the case even where:

  • you think that subscribers and users may be unlikely to agree to them otherwise; or
  • you don’t think that the technology is that privacy intrusive.

Unless the technology meets one of the exemptions, you must seek consent before you use storage and access technologies.

Our expectations for good practice are laid out in the ‘our expectations for consent mechanisms’ section.

How long can we store or access information for?

PECR does not specify how long you can use any storage and access technologies for. For example, whether the duration of a cookie should be the length of the session or a different period, like 30 days.

You should consider the appropriate duration in relation to the circumstances of your online service and for the purpose for which you want to use the technology.

Where the technology involves processing of personal data, you must also consider the data protection principles — including purpose limitation and storage limitation.

To help you to determine what is appropriate, you must ensure that the duration is:

  • proportionate in relation to your intended outcome; and
  • limited to what is necessary to achieve your purpose.

In some instances, you may decide a longer duration is appropriate, such as a persistent cookie which stores user preferences for a period of time (eg 90 days, if that is appropriate in the context of your service and its users).

Some storage and access technologies like cookies may have a default duration. An expiry limit for persistent cookies may be set by the browser, and in some cases users can remove persistent cookies manually.

Alternatively, where you are storing objects in localStorage, there may be no expiry date.

Whatever technology you are using, you should consider:

  • what the default is;
  • whether this is appropriate; and
  • that it is something you can change if necessary. For example, by automatically removing objects in localStorage where appropriate.

In all cases the key is ensuring a proportionate approach in relation to the purpose. For example, whilst it may be technically possible to set the duration of a cookie to “31/12/9999” this would not be regarded as proportionate in any circumstances.

Example

An online service sets persistent cookies on its website.

The service recognises that the user’s browser may limit the maximum age of a cookie to 400 days. It decides to use the default expiry date for all of its cookies and relies on the user’s browser to adjust the maximum expiry time.

This would not be a proportionate approach, because the service cannot assume that the user’s browser will change the default, and because a 400 day expiry date may not be appropriate for the purpose of the cookies on their service. 

What is an audit and how can we do one?

You should undertake regular reviews of your online service, as well as any storage and access technologies it includes.

The frequency of your reviews will depend on:

  • the specific storage and access technologies you use;
  • the purposes for which you use them; and
  • how often you change or update them. 

For example, if you make regular changes, your reviews should be more frequent.

You may decide a comprehensive ‘audit’ of your online service is appropriate, for example if the functionality of your website has evolved over time and multiple staff or teams have editing access to the site.

You could take a user’s perspective by visiting your website on a device separate from your network and checking what storage and access technologies are present. You could invite a third party to do this on your behalf.

You should include the following steps in an audit, depending on the nature of your service and how you provide it:

  • identify the storage and access technologies your service currently includes, eg by using a combination of browser-based tools or server-side code reviews;
  • confirm the purpose(s) of each of the storage or access technologies you are using (and any new ones you intend to use);
  • identify any you no longer need and remove them;
  • in any mobile app, identify the installed SDKs and their respective data flows;
  • determine whether any of the purposes for which you use storage and access technologies meet an exemption (and if so, which one) and any that do not — and take appropriate action; 
  • confirm whether your storage and access technologies are linked to other information held about your users — such as usernames —and whether using them involves (or will involve) processing personal data;
  • identify the data that each technology involves, holds or processes;
  • determine the lifespan of any persistent cookies, and justify their duration in relation to the purpose(s) you use them for;
  • identify whether any third parties are setting storage or access technologies on your site and if so, who and for what purpose; 
  • review any automatic categorisation of storage and access technologies and whether this is correct; 
  • review your consent mechanism and privacy settings to ensure that users can reject the use of any non-essential storage and access technologies as easily as they can accept them; 
  • review your consent mechanism to ensure that it has the technical capability to allow users to withdraw their consent with the same ease that they gave it; 
  • review your privacy information to ensure that you provide clear and comprehensive information about each technology you want to use;
  • confirm what information you are sharing with third parties and how you explain this to your users; and
  • document your findings and follow-up actions, and decide when you will conduct your next audit.