In detail

What is the relationship between PECR and the GDPR?

PECR sits alongside the Data Protection Act 2018 (DPA) and the GDPR, and provides specific rules in relation to privacy and electronic communications. Where these rules apply, they take precedence over the DPA and the GDPR. This is important, because if you are setting cookies you need to consider PECR compliance first before you look to the GDPR.

Additionally, PECR depends on data protection law for some of its definitions. For example, as the previous section states, PECR takes the GDPR’s standard of consent. The GDPR also talks about cookies within the definition of personal data.

Essentially, if you are operating an online service, then the easiest way to look at the two laws is:

  • if your online service stores information, or accesses information stored, on user devices then you should ensure that comply with PECR first, including the requirements to provide information and obtain consent; and
  • the GDPR applies to any processing of personal data outside of this storage or access.

Regulation 4 of PECR is also clear about the relationship with data protection law:

‘Nothing in these Regulations shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data.’

Although PECR does not just apply where personal data is being processed, activities involving the processing of personal data generally have greater privacy and security implications.

Where the setting of a cookie does involve the processing of personal data, you will also need to make sure you comply with the additional requirements of the GDPR.

What does the GDPR say about cookies?

The GDPR classes cookie identifiers as a type of ‘online identifier’, meaning that in certain circumstances these will be personal data. For example, a user authentication cookie would involve processing of personal data, as it is used to enable the user to log in to their account at an online service.

Article 4(1) of the GDPR defines personal data as:

‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

Recital 30 provides further information on the term ‘online identifier’:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

It is important to note that cookies may not always be classed as personal data. However, PECR applies whether or not the storage of or access to information on user devices involves processing personal data.

‘Online identifiers’ can also include (but are not limited to) things like:

  • MAC addresses;
  • advertising IDs;
  • pixel tags;
  • account handles; and
  • device fingerprints.

The use of these could leave traces which, when combined with unique identifiers and other information, could be used to create profiles of individuals and identify them.

When assessing if an individual is identifiable, you must consider whether online identifiers, on their own or in combination with other information that may be available to those processing the data, may be used to distinguish one user from another.

For example, this is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. This may be either as a named individual or simply as a unique user of electronic communications and other internet services who may be distinguished from other users.

You should be aware that that whilst a single information element may not be personal data on its own, the combination of multiple elements makes it more likely that the information will constitute personal data. This is particularly the case when the information enables you to single out, make inferences or take specific actions in relation to users (such as identifying them over time or across multiple devices and websites, even if you don't know the name of those users). Where this is the case, your processing must comply with the GDPR.

When considering alternatives to cookies it is also important to look at the broader privacy context. Even where the cookie rules do not apply, you may need to comply with the GDPR. For example, if information is collected that builds up a picture allowing an individual to be identified, those individuals need to be told what information is being collected, as well as how and why.

Further reading – ICO guidance

For more information, read our guidance on 'What is personal data?' and the right to be informed in the Guide to the GDPR.

 

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

In 2014, WP29 produced guidance on device fingerprinting and the ePrivacy Directive in Opinion 9/2014. This provides more information about how PECR applies in this context, and also outlines the data protection risks related to device fingerprinting. This guidance remains applicable as it relates to the ePrivacy Directive.

How does cookie consent fit with the lawful basis requirements of the GDPR?

To process personal data, you must have a lawful basis. The GDPR has six lawful bases, of which one is consent. No lawful basis is more important than the other – the appropriate one depends on the specifics of your processing.

However, PECR requirements are separate from, and different to, those of the GDPR. Guidance produced by European data protection authorities on how the ePrivacy Directive relates to the GDPR clarifies that, if consent is required under the cookie rules:

"the controller cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR".

The simplest way to understand it is that if your cookies require consent under PECR, then you cannot use one of the alternative lawful bases from the GDPR to set them. If you’re setting cookies, this is why you need to look to PECR first and comply with its specific rules, before considering any of the general rules in the GDPR.

If the cookies you set aren’t exempt from Regulation 6, then you can only use consent – and this must be of the GDPR standard. This is also the case whether or not personal data is involved. If you have obtained consent in compliance with PECR, then in practice consent is also the most appropriate lawful basis under the GDPR. Trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.

If your cookie meets one of the exemptions, then the requirement to have consent to set it doesn’t apply – essentially, the technical process of storing or accessing information on the device falls out of PECR and, where personal data is involved, the GDPR then applies.

Figure 1 below demonstrates where consent applies for cookies.

 

Use our tool to determine where consent applies for your use of cookies.

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The EDPB has published ‘Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR’. This provides useful information about how the cookie rules relate to the GDPR.

Do the rules apply to the processing of personal data gained via cookies?

PECR has rules for the storing of information, or accessing information stored, on user devices. It does not contain any specific rule for prior or subsequent processing operations involving this information.

So, where personal data is involved, it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies. However, you, will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing that data with third parties.

For example, you should also be aware that European data protection authorities, including the ICO, have previously stated that, in certain cases the processing of personal data that follows (or depends on) the setting of cookies is highly likely to require consent as its lawful basis.

This is not just because the personal data originates by the use of cookies but is also because of the nature, scope, context and purpose(s) of the processing operations themselves.

Analysing or predicting preferences or behaviour

In guidance about purpose limitation published in 2013, the European DPAs discussed situations such as analysing or predicting the personal preferences, behaviour and attitudes of individual users, with this subsequently informing measures or decisions taken about them, saying that:

  • ‘In these cases, free, specific, informed and unambiguous “'opt-in' consent" would almost always be required, otherwise further use cannot be considered compatible.’

You should note that what is termed ‘free, specific, informed and unambiguous "opt-in consent”' in this guidance essentially equates to the current GDPR standard of consent.

 

Example

Tracking and profiling for direct marketing and advertising

The same guidance also discussed when consent was required for certain purposes, saying:

  • ‘Importantly, such consent should be required, for example, for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research.’

The European DPAs also discussed profiling and targeted advertising in guidance produced about legitimate interests in 2014, saying that:

  • ‘Instead of merely offering the possibility to opt out of this type of profiling and targeted advertisement, an informed consent would be necessary, pursuant to Article 7(a) but also under Article 5(3) of the ePrivacy Directive. As a consequence, [legitimate interests] should not be relied on as a legal ground for the processing.’

This means, in most circumstances, legitimate interests is not considered to be an appropriate lawful basis for the processing of personal data in connection with profiling and targeted advertising.

Consent will be required under PECR for the use of cookies in these circumstances, and in practice, consent is therefore the most applicable lawful basis for any subsequent processing of personal data for the purposes described. 

Further reading - European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The EDPB has published ‘Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR’. This provides useful information about how the cookie rules relate to the GDPR and re-states the positions previously taken by WP29 about when consent should be required for certain processing operations beyond the setting of cookies.

WP29 previously published 'Opinion 3/2013 on purpose limitation’ and 'Opinion 6/2014 on the notion of legitimate interests’. Although this guidance was produced under the previous data protection framework, much of it applies under the GDPR.

What about the proposed ePrivacy Regulation?

The ePrivacy Regulation (ePR) is a piece of European legislation that is currently under development. When finalised, it will replace the ePrivacy Directive on which PECR is based. It has the same intent of providing specific rules for privacy and electronic communications, but aims to update and modernise these in the same way the GDPR has for data protection.

This means that these ‘cookie rules’ will be modernised and updated in the future. However, the ePR is not yet finished. As such, we cannot provide any specific guidance on what the cookie rules may be in the future.

You should however note that until the ePR is agreed and comes into force, PECR continues to apply in full, alongside the GDPR.