What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
Cookies and similar technologies are a useful and often necessary tool for online businesses.
Cookies perform functions ranging from those which are necessary to make a website work - such as to remember items added to a shopping basket, to those which improve a user’s experience – such as by personalising content.
Use of cookies is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
The rules apply equally to similar cookie-like technologies, that store or access information on a user’s device - including GIFs, pixels, scripts and plugins.
What does PECR require?
The rules in PECR only apply to ‘non-essential’ cookies which are not strictly necessary to make a website work.
PECR requires that wherever non-essential cookies are used, website operators must:
- provide clear and comprehensive information about cookies used;
- get the user’s consent to drop a cookie on their device.
That consent must meet a GDPR standard of consent, meaning that it must be, amongst other things, opt- in, clearly distinguishable (not bundled with other terms), freely given, specific, informed and unambiguous.
Implied or ‘continue to browse’ consent is no longer compliant.
In order to meet those requirements, website operators are usually required to have a cookie banner which pops up on a user first visiting a website, dealing with the consent requirements, and a cookie policy, giving more information about cookies used.
Are there any additional requirements under the GDPR?
Whenever cookies are used to collect and store identifiable information about individuals, the GDPR must also be complied with.
Cookies will not always process personal data but there may be circumstances where they do- including by reference to online identifiers or ‘logged in’ credentials.
Key requirements of the GDPR include having a ‘legal basis’ to process personal data for the purpose of the cookie and notifying individuals of its processing activities - usually in the form of a privacy policy.
What’s the risk if I get it wrong on my website?
Cookie compliance is easy for regulators and individuals to monitor – it is easy to see what cookies are used, how consent is obtained and what information is given by simply visiting a website.
We have seen examples of other regulators (e.g. in Germany) using software which audits multiple websites to determine whether they are complying with the law.
The government has recently made comments that as part of an overhaul of data protection rules following Brexit, it plans to get rid of ‘endless’ cookie pop-ups. However, that change isn’t going to happen quickly and, until then, PECR still applies in the UK. Cross border businesses may also remain subject to EU rules.
Cookie pop-ups will therefore be around for some time. In the meantime, website operators may be subject to enforcement action and claims from individuals if they fail to comply.
So, what should I do next?
Website operators should take the following steps:
- Audit the cookies used on your website so that you have a clear understanding of the cookies that you are using;
- Get opt-in consent for any non-essential cookies before they are deployed on your website;
- Give appropriate information about those cookies;
- Review your data processing practices to ensure that you are able to comply with all the requirements of GDPR to the extent that those cookies are processing personal data.
Whilst this article is aimed at website operators, the same considerations will apply to the use of cookies and cookie-like technologies on apps.
We are here to help. Contact Loren Hodgetts at Browne Jacobson if you would like assistance with your website cookie practices, banners and notices.
Related expertise
You may be interested in...
Legal Update
ICO consultation on transparency in health and social care
In Person Event
Claims Club - London
Legal Update
How to mitigate risk in disputes arising from AI use in technology projects
Online Event
Data Shared Insights: Subject access requests
In Person Event
Claims Club
Opinion
Monitoring workers – ICO guidance
Legal Update
ICO consultation on fertility tracking apps
Published Article
UK: Legal issues with deepfakes
Legal Update
New guidance for employers on subject access requests published by the ICO
Legal Update
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Press Release
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update
Protecting children and their data in the online environment
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Legal Update
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
Legal Update
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Published Article
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Legal Update
Stemming the tide of data breach claims: good news for data controllers
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
Press Release
Reaction: Supreme Court rules in favour of Google
The Supreme Court has unanimously overturned the Court of Appeal’s 2019 decision in the case Lloyd (Respondent) v Google LLC (Appellant) which allowed the claimant, Mr Lloyd, to serve a representative action on Google on behalf of over four million iPhone users who were seeking damages for ‘loss of control’ of personal data.
Legal Update
What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
Legal Update
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Published Article
Confidential information and subject access disclosure
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
Legal Update
Lloyd v Google – what next?
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
Training
Claims club - 16 June 2021
Watch our on-demand video for our popular Claims Club where we discussed the risk of data sharing, risks in a changing climate, highway claims and what we can see on the horizon.
Legal Update
High Court grants local authority injunction to prevent breach of confidence
This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.
Legal Update
Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
Legal Update
Health care apps – Part 1 of 2: Exploring the ins and outs of intellectual property (IP)
The adoption of smart technology solutions by the health and care sector has exploded in 2020. The pandemic has driven the sector to increase its use of smart phone technology solutions (“Apps”), an example of which is conducting video consultations and assessments.
Guide
Brexit overview: your use of data and Brexit
Despite the lack of clarity around Brexit, there are key data issues that can be addressed now. We can help you with the steps you need to take to mitigate the risks.
Legal Update
Corporate transparency and register reform: Government response now published
In May 2019 the Government consulted on a range of options to enhance the role of Companies House and increase the transparency of companies and other legal entities. On 18 September 2020 BEIS published the Government's response following a huge response to the consultation.