In brief…

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.

There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).

The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.

In more detail…

What is a cookie?

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

What do we need to do to comply?

The rules on cookies are in regulation 6. The basic rule is that you must:

  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.

As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.

What else is covered, apart from cookies?

Although this guide focuses on cookies, regulation 6 actually applies to anyone who stores information on a user’s device or gains access to information on a user’s device, in either case by any method.

This means the same rules apply to any similar technologies – such as Local Shared Objects (sometimes called Flash cookies) – and can also cover other types of technology, including apps on smartphones, tablets, smart TVs or other devices.

These rules also outlaw spyware or any similar covert surveillance software that downloads to a user’s device and tracks their activities without their knowledge.

What information must we give users?

PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes. You must explain the way the cookies (or other similar technologies) work and what you use them for, and the explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing the cookies. You may need to make sure the language and level of detail are appropriate for your intended audience.

This is similar to the transparency requirements of the first data protection principle (privacy notices).

What counts as consent?

To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.

For more advice on obtaining consent, including the rules on browser settings, see our cookies guidance.

Do we need consent from the subscriber or from the user?

Regulation 6 states that consent should be obtained from the subscriber or user.

In practice you may not be able to tell who is the subscriber and who is a user – which means you may not be able to distinguish between consent provided by the subscriber and by the user. The key will be that valid consent has been provided by one of them.

PECR does not say whose wishes should take precedence if they are different. If there appears to be a conflict – for example, if a subscriber or user previously consented but now the current user of the same device objects – it would seem sensible to rely on the most recent indication. This would mean you always respect the current user’s preferences, even if you cannot be sure of the subscriber’s preferences.

Are there any exemptions?

There is an exemption if:

  • the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

This means you are unlikely to need consent for:

  • cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
  • session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
  • load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

For further information, see our cookies guidance.

You may also want to refer to the opinion adopted by European data protection authorities in June 2012 (Article 29 Working Party opinion 04/2012), which clarifies that some usage of session-ID cookies, multimedia cookies, and user interface customisation cookies (eg language-preference cookies) is likely to fall within the information society services exemption.

Do the rules still apply if the data is anonymous?

Yes. Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies.

If your cookie data is not anonymous, note that you will also need to comply with the Data Protection Act. You may actually need to consider whether you could use anonymised data instead, in order to comply with the third data protection principle (which concerns personal data being adequate, relevant and not excessive). This is likely to be particularly relevant where you are not using the data to provide a service to the user – for example, if you are simply counting visitors to a website.

See our separate Guide to data protection for more information on the third principle.

Where can we get more information?

For more detailed information and practical advice on this topic, see our guidance on cookies.

You can find more about the action we are taking on cookies on the Enforcement section of the ICO website.

We have also answered some FAQs in a YouTube video, which summarises how you can comply and the approach the ICO is taking to enforcement. (Playing YouTube videos sets a cookie.)

How do these rules affect apps?

Apps store information on smart devices, and some apps may also access information on the device (eg contacts or photos). App developers should therefore provide clear information to users about what the app does, and exactly how it uses their information, before users click to install the app.

This ties in closely with the requirements of the Data Protection Act. For more information on how to comply, see our separate guidance Privacy in mobile apps.