What are the rules on cookies and similar technologies?
In detail
- What does PECR say about cookies and similar technologies?
- Who are ‘subscribers’ and ‘users’?
- What is ‘terminal equipment’?
- What does ‘clear and comprehensive information’ mean?
- What does ‘consent’ mean?
- From whom do we need consent?
- Are we required to provide clear information and obtain consent for all cookies?
- What is the ‘communication’ exemption?
- What is the ‘strictly necessary’ exemption?
- What activities are likely to meet the ‘strictly necessary’ exemption?
- Do the rules only apply to websites?
- Do the rules apply to our internal network?
What does PECR say about cookies and similar technologies?
PECR does not refer to cookies by name, but Regulation 6 states:
(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
This means that if you use cookies you must:
- say what cookies will be set;
- explain what the cookies will do; and
- obtain consent to store cookies on devices.
PECR also applies to ‘similar technologies’ like fingerprinting techniques. Therefore, unless an exemption applies, any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user or subscriber.
Who are ‘subscribers’ and ‘users’?
The cookie rules apply to the ‘terminal equipment’ of the ‘subscriber or user’. The ‘subscriber’ means the person who pays the bill for the use of the line. The ‘user’ is the person using the computer or other device to access an online service.
In many cases the subscriber and the user may be the same, for example when an individual uses their broadband connection to access a website on their computer or mobile device – that person would be the ‘user’ as well as the ‘subscriber’ if they pay for the connection.
However, this is not always the case. For example, if a family member visits that subscriber’s home and uses the internet connection to access your service from their own device, they would be the user.
What is ‘terminal equipment’?
This refers to the device a cookie is placed on – typically a computer or mobile device, but also other equipment such as wearable technology, smart TVs, and connected devices including the ‘Internet of Things’.
What does ‘clear and comprehensive information’ mean?
PECR does not define what ‘clear and comprehensive information’ means. However, Article 5(3) of the ePrivacy Directive says that clear and comprehensive information should be provided ‘in accordance with’ data protection law.
This relates to the UK GDPR’s transparency requirements and the right to be informed. It means that when you set cookies you must provide the same kind of information to users and subscribers as you would do when processing their personal data (and, in some cases, your use of cookies will involve the processing of personal data anyway).
The information has to cover:
- the cookies you intend to use;
- the purposes for which you intend to use them;
- any third parties who may also process information stored in or accessed from the user’s device; and
- the duration of any cookies you wish to set.
These requirements also apply to cookies set by any third parties whose technologies your online service incorporates – this would include cookies, pixels and web beacons, JavaScript and any other means of storing or accessing information on the device including those from other services such as online advertising networks or social media platforms.
The recitals of the ePrivacy Directive further clarify that:
- you must make users aware of the cookies being placed on their devices; and
- your methods of providing this information, and the capability for users to refuse, are to be as user-friendly as possible.
Whilst providing information about cookies equates to the transparency requirements of data protection law, levels of user understanding will differ. If you use cookies you will need to make a particular effort to explain their activities in a way that all people will understand.
Long tables or detailed lists of all the cookies operating on the site may be the type of information that your users will want to consider. Some sites might use tens or even hundreds of cookies and therefore it may also be helpful to provide a broader explanation of the way cookies operate and the categories of cookies in use. For example, a description of the types of things you use analytics cookies for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.
Further reading – ICO guidance
What does ‘consent’ mean?
PECR requires that users or subscribers consent to cookies being placed or used on their device. There is no definition of consent given in PECR or in the ePrivacy Directive; instead, the UK GDPR definition of consent applies. This is in Article 4(11) of the UK GDPR and states:
"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 clarifies that, for PECR:
"‘consent' by a user or subscriber corresponds to the data subject’s consent in the GDPR (as defined in section 3(10) of the Data Protection Act 2018)."
Article 7 of the UK GDPR provides further specifics about consent requirements, saying that:
- you must be able to demonstrate that you have valid consent;
- your consent requests must be ‘clearly distinguishable from other matters’ – ie, they must not be bundled as part of terms and conditions;
- your consent requests must be in an intelligible and easily accessible form, using clear and plain language; and
- your consent mechanism must allow the individual to withdraw their consent at any time.
Recital 32 of the UK GDPR also specifically bans pre-ticked boxes – silence or inactivity does not constitute consent.
In respect of cookies, this means that:
- the user must take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent;
- you must clearly inform users about what your cookies are and what they do before they consent to them being set;
- if you use any third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information;
- you cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
- you must provide users with controls over any non-essential cookies, and still allow users access to your website if they don’t consent to these cookies; and
- you must ensure that any non-essential cookies are not placed on your landing page (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent).
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
The EDPB has published Guidelines 05/2020 on consent.
While these guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, they may still provide helpful guidance.
Who do we need consent from?
PECR states that consent for a cookie should be obtained from the subscriber or user.
In practice, you may not be able to distinguish between consent provided by the subscriber or the user. The key issue is that one of the parties must provide valid consent.
PECR does not specify whether the user or subscriber’s wishes should take precedence if individuals have different preferences in respect of the setting of cookies. Other references in PECR to a subscriber’s ability to make decisions in this area, such as around browser settings, might suggest the subscriber’s preferences take priority, although in some circumstances this will not always be the case.
Example
An employer (the subscriber) provides an employee (the user) with a device at work, along with access to certain services to carry out a particular task. Completing the task effectively depends on using a service that uses cookies, and a device that accepts them.
In this case it is reasonable for the employer’s wishes to take precedence.
There are other sections of PECR, concerning browser settings, where the subscriber clearly has the ability to make a decision on behalf of any user. However, there will also be circumstances where a user’s wishes should take precedence.
In a domestic context there will usually be one subscriber (the person in the household paying the bill) and potentially several other users. If a user complained that your website was setting cookies without their consent you could demonstrate compliance with PECR if you could show that consent had previously been obtained from the subscriber.
In practice, the key to resolving problems is to ensure information about cookies and mechanisms for making choices are as easily accessible as possible to all users.
Are we required to provide information and obtain consent for all cookies?
No – PECR has two exemptions to the cookie rules. Regulation 6(4) states that:
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
These are known as the ‘communication’ exemption and the ‘strictly necessary’ exemption.
What is the ‘communication’ exemption?
The communication exemption is about the transmission of a communication over an electronic communications network. For a ‘communication’ to take place over a network between two parties, three elements are considered necessary:
- the ability to route information over a network, by identifying the communication ‘endpoints’ – devices that accept communications across that network;
- the ability to exchange data items in their intended order; and
- the ability to detect transmission errors or data loss.
The communication exemption therefore includes cookies that fulfil one (or more) of these properties, but only for the sole purpose of the transmission.
So, for the exemption to apply, the transmission of the communication must be impossible without the use of the cookie. Simply using a cookie to assist the communication is insufficient for the exemption to apply.
What is the ‘strictly necessary’ exemption?
This exemption applies for ‘information society services’ (ISS) – ie, a service delivered over the internet, such as a website or an app. If you are running an online service it is likely that you are operating an ISS.
The ‘strictly necessary’ exemption means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. It does not cover what might be essential for any other uses that you might wish to make of that data. It is therefore clear that the strictly necessary exemption has a narrow application.
‘Strictly necessary’ also includes what is required to comply with any other legislation that applies to you, for example, the security requirements of data protection law.
Where the setting of a cookie is deemed ‘important’ rather than ‘strictly necessary’, you are still obliged to provide information about the storage or access to the user or subscriber and obtain consent.
Example
A user visits an e-commerce website and decides to purchase a product. They add it to their shopping basket before continuing browsing for more goods they wish to buy. They then finish their shopping by going through the website’s checkout process.
The website uses cookies to ensure that when the user chooses the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page.
In this context, the cookie is ‘strictly necessary’ to provide the service the user requests and so the exemption would apply and no consent would be required.
Although the exemption applies to both the provision of information and the gaining of consent, it is good practice to continue to provide clear information about all cookies including those that are strictly necessary, and if personal data is involved then you will be required to do this under the fairness and transparency requirements of data protection law.
It is important to remember that what is ‘strictly necessary’ should be assessed from the point of view of the user or subscriber, not your own. So, for example whilst you might regard advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service, they are not ‘strictly necessary’ from the user or subscriber’s perspective.
What activities are likely to meet the ‘strictly necessary’ exemption?
Activities likely to fall within the ‘strictly necessary’ exemption include those that relate to the specific functionality of your service – ie, without them, the user would be unable to undertake certain activities. Cookies that don’t relate to what is strictly necessary would need consent.
Common examples include:
Activity | Likely to meet the ‘strictly necessary’ exemption? |
A cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket; | ✓ |
Cookies that are essential to comply with the UK GDPR’s security principle for an activity the user has requested – for example in connection with online banking services | ✓ |
Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’) | ✓ |
Cookies used for analytics purposes, eg to count the number of unique visits to a website | x |
First and third-party advertising cookies (including those used for operational purposes related to third-party advertising, such as click fraud detection, research, product improvement, etc.) | x |
Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored | x |
Also, if you say a cookie is strictly necessary because it fulfils a purpose, such as security, you must ensure that your use is only for that purpose. If you use any information for secondary purposes, the cookie would not be regarded as strictly necessary and you would then need consent.
For more information about how the exemptions work for different types of cookies, read the section ‘How do we comply with the cookie rules’.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
For more information about the types of cookies and how they align with the two exemptions, read the Article 29 Working Party’s ‘Opinion 04/2012 on cookie consent exemption’ and ‘Opinion 09/2014 on device fingerprinting’.
You should note that while these guidelines are no longer directly relevant to the UK regime, they may still provide helpful guidance, particularly as their content relates to the cookie rules in PECR.
Do the rules only apply to websites?
No. The use of cookies and similar technologies is not limited to traditional websites and web browsers. The rules in PECR apply to any technique that stores information, or accesses information stored, in the terminal equipment of the subscriber or user.
For example, mobile apps commonly communicate with websites and web services which can set cookies and PECR also covers these. Mobile apps may also be developed with embedded SDKs or other frameworks. These can store information, or access information stored, on the device for various purposes.
Ultimately, whether you run a website, a mobile app, or any other kind of service, you are responsible for understanding the behaviour of any software components that may store information, or access information stored, in a user’s device. This is particularly important where you are incorporating someone else’s software component, eg third party code.
Do the rules apply to our internal network?
The rules do not apply in the same way to intranets. An intranet is unlikely to be a public electronic communications service, and therefore PECR would not apply in the same way to cookies that are set on an intranet. However, it is important to remember that the requirements of data protection law are still likely to apply if the usage of cookies is for the purposes of monitoring performance at work, for example.
Wherever you collect personal data using cookies then the requirements of data protection law will also apply.