Guidance on the use of cookies and similar technologies

The Privacy and Electronic Communications Regulations (PECR) cover the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device.

This guidance addresses cookies and similar technologies in detail. Read it if you operate an online service, such as a website or a mobile app, and need a deeper understanding of how PECR applies to your use of cookies.

If you haven’t yet read the Cookies page in the Guide to PECR, you should read that first. It sets out the key points you need to know.

Contents

What are cookies and similar technologies?

• What are ‘cookies’?
• How are cookies used?
• What are ‘session’ and ‘persistent’ cookies?
• What are ‘first party’ and ‘third party’ cookies?
• What are ‘similar technologies’?

What are the rules on cookies and similar technologies?

• What does PECR say about cookies and similar technologies?
• Who are ‘subscribers’ and ‘users’?
• What is ‘terminal equipment’?
• What does ‘clear and comprehensive information’ mean?
• What does ‘consent’ mean?
• Who do we need consent from?
• Are we required to provide information and obtain consent for all cookies?
• What is the ‘communication’ exemption?
• What is the ‘strictly necessary’ exemption?
• What activities are likely to meet the ‘strictly necessary’ exemption?
• Do the rules only apply to websites?
• Do the rules apply to our internal network?

How do the cookie rules relate to the GDPR?

• What is the relationship between PECR and the GDPR?
• What does the GDPR say about cookies?
• How does cookie consent fit with the lawful basis requirements of the GDPR?
• Do the rules apply to the processing of personal data gained via cookies?
• What about the proposed ePrivacy Regulation?

How do we comply with the cookie rules?

• Who is responsible for compliance?
• How do we plan and decide what type of cookies will be used?
• How should we conduct a cookie audit?
• How do we tell people about cookies?
• What if children are likely to access our online service?
• How should we request consent in practice?
• Can we use message boxes and similar techniques
• Can we rely on settings-led consent?
• Can we rely on feature-led consent?
• Can we rely on browser settings and other control mechanisms?
• Can we use ‘terms and conditions’ to gain consent for cookies?
• Can we use ‘cookie walls’?
• Can we pre-enable any non-essential cookies?
• What if we use third-party cookies?
• Are analytics cookies exempt?
• How do the exemptions apply to different types of cookies?
• What if our users change their minds about cookies?
• How often should we get consent?
• How should we keep records of user preferences?
• How long should our cookies last?

What else do we need to consider?

• What if our use of cookies changes?
• What about cookies set on websites that we link to?
• What about cookies set on overseas websites?
• Can public authorities set cookies on their websites?
• What about other devices like mobiles, smart TVs, wearables, and the ‘Internet of Things’?
• What happens if we don’t comply?