What are the requirements of cookie law

Cookies and similar technologies are a useful and often necessary tool for online businesses. 

Cookies perform functions ranging from those which are necessary to make a website work - such as to remember items added to a shopping basket, to those which improve a user’s experience – such as by personalising content.

Use of cookies is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.  

The rules apply equally to similar cookie-like technologies, that store or access information on a user’s device - including GIFs, pixels, scripts and plugins.

What does PECR require?

The rules in PECR only apply to ‘non-essential’ cookies which are not strictly necessary to make a website work.

PECR requires that wherever non-essential cookies are used, website operators must:

1. provide clear and comprehensive information about cookies used;
   
   
2. get the user’s consent to drop a cookie on their device.

That consent must meet a GDPR standard of consent, meaning that it must be, amongst other things, opt- in, clearly distinguishable (not bundled with other terms), freely given, specific, informed and unambiguous.

Implied or ‘continue to browse’ consent is no longer compliant.

In order to meet those requirements, website operators are usually required to have a cookie banner which pops up on a user first visiting a website, dealing with the consent requirements, and a cookie policy, giving more information about cookies used.

Are there any additional requirements under the GDPR?

Whenever cookies are used to collect and store identifiable information about individuals, the GDPR must also be complied with. 

Cookies will not always process personal data but there may be circumstances where they do- including by reference to online identifiers or ‘logged in’ credentials.

Key requirements of the GDPR include having a ‘legal basis’ to process personal data for the purpose of the cookie and notifying individuals of its processing activities - usually in the form of a privacy policy.

What’s the risk if I get it wrong on my website?

Cookie compliance is easy for regulators and individuals to monitor – it is easy to see what cookies are used, how consent is obtained and what information is given by simply visiting a website. 

We have seen examples of other regulators (e.g. in Germany) using software which audits multiple websites to determine whether they are complying with the law. 

The government has recently made comments that as part of an overhaul of data protection rules following Brexit, it plans to get rid of ‘endless’ cookie pop-ups.  However, that change isn’t going to happen quickly and, until then, PECR still applies in the UK.  Cross border businesses may also remain subject to EU rules. 

Cookie pop-ups will therefore be around for some time.  In the meantime, website operators may be subject to enforcement action and claims from individuals if they fail to comply.

So, what should I do next?

Website operators should take the following steps:

1. Audit the cookies used on your website so that you have a clear understanding of the cookies that you are using;
   
   
2. Get opt-in consent for any non-essential cookies before they are deployed on your website;
   
   
3. Give appropriate information about those cookies;
   
   
4. Review your data processing practices to ensure that you are able to comply with all the requirements of GDPR to the extent that those cookies are processing personal data.

Whilst this article is aimed at website operators, the same considerations will apply to the use of cookies and cookie-like technologies on apps. 

We are here to help.  Contact Loren Hodgetts at Browne Jacobson if you would like assistance with your website cookie practices, banners and notices.