01271 595100

UK Regulator updates their guidance on

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.  The law on their use in the United Kingdom is covered under the Privacy and Electronic Communications Regulations (PECR) which sit alongside the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).

PECR

 

History

The PECR are derived from European law, (and also known as ‘the e-privacy Directive’) and have been amended seven times since introduction. The more recent changes were made in 2018, to ban cold-calling of claims management services and to introduce director liability for serious breaches of the marketing rules; and in 2019 to ban cold-calling of pension’s schemes in certain circumstances. The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the GDPR. However, the new Regulation is not yet agreed. For now, PECR continues to apply alongside the GDPR.

Enforcement by the Regulator

The Information Commissioners Office (ICO) who regulates the data protection and privacy legislation in the United Kingdom has several ways of taking action to change the behaviour of anyone who breaches PECR. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner can also serve a monetary penalty notice imposing a fine of up to £500,000 which can be issued against the organisation or its directors. These powers are not mutually exclusive. The ICO states that they will use their powers in combination where justified by the circumstances.

The ICO’s guide covers the latest version of PECR, which came into effect on 9 January 2019, with some updates to cover changes made by the GDPR from 25 May 2018.

Reminder

They are basically the specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

PECR does not refer to cookies by name, but Regulation 6 states:

  1. a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
  2. The requirements are that the subscriber or user of that terminal equipment ;
    1. Is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
    2. Has given his or her consent.

This means that if you use cookies you must:

  • say what cookies will be set;
  • explain what the cookies will do; and
  • obtain consent to store cookies on devices.

PECR also applies to ‘similar technologies’ like fingerprinting techniques. Therefore, unless an exemption applies, any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user or subscriber.

New Guidance

The full guide is here, for you to read at your leisure, but we would like to share some of the key definition clarifications and changes with you.

  1. PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.
  2. It means that when you set cookies you must provide the same kind of information to users and subscribers as you would do when processing their personal data (and, in some cases, your use of cookies will involve the processing of personal data anyway).

    The information has to cover:

    • the cookies you intend to use; and
    • the purposes for which you intend to use them.
    • Facilitate the option for individuals to withdraw their consent at any time.
  3. The simplest way to understand it is that if your cookies require consent under PECR, then you cannot use one of the alternative lawful bases from the GDPR to set them it has to be consent. If you’re setting cookies, this is why you need to look to PECR first and comply with its specific rules, before considering any of the general rules in the GDPR. PECR in this instance takes precedence before the GDPR!
  4. The definitions of strictly-necessary for the operation of the website, mobile application or web service (‘service(s)’) to function versus non-necessary and that the definition has to be used from the individuals perspective, not the organisation operating the service(s).  Intranets are unlikely public electronic communications service, and therefore PECR would not apply in the same way to cookies that are set on an intranet. However, it is important to remember that the requirements of data protection law are still likely to apply if the usage of cookies is for the purposes of monitoring performance at work, for example.

Data Protection Impact Assessment 

Reviewing how you operate your online service(s) provision may require you to conduct a Data Protection Impact Assessment (DPIA) to help you identify and minimise the data protection risks. The ICO has guidance on DPIA’s and good practice which you may wish to read up on. 

While considering whether to conduct a DPIA, it may be prudent to:

  • Get to know the Cookies used by your service(s) by name, function and definition of strictly necessary/non-necessary.
  • Review and possibly update your Cookie Policy
  • Review and possibly update your Privacy policy lawful basis of processing
  • Setup the mechanism to record consent
  • Or consider:
    • Stopping or changing the way the non-necessary cookie information is used , especially if you do not actually use the functionality.
    • Ways to anonymise the information

Closing

No organisation is the same, therefore it is important to read this information in the context of being a data controller and/or data processor, your organisations own purposes of processing and lawful bases of processing personal data.  This post is not definitive legal advice, nor should it be used as such.

The ICO has also produced this very informative flowchart to assist organisations.

 

 

During our own evaluation of our service(s), we were pleased to be able to have documented evidence of the cookies set and that they are either strictly-necessary or non-necessary for the operation of our service(s).

We only set the Strictly-Necessary cookies to load when visitors use our service(s). There are options to change individuals preferences as they see fit.

Thank you goes to:

Show Me The Cookies

GDPR Cookie Consent

No affiliate links on the links above

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.