The Information Commissioners Office (ICO) has updated its guidance on the use of cookies and similar technologies (Guidance), giving further detail on the applicable legal landscape. Cookies are small pieces of information (often in the form of an encrypted text file) which are stored on a user’s device by websites and apps. Cookies collect information about the user and transmit this to the online service provider.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) govern the use of cookies and, where cookies are used in conjunction with the processing of personal data (which is often the case), PECR should also be viewed alongside the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018). The Guidance provides further practical detail in the context of the legal rules (which often lack granularity), focusing on: (i) identifying what constitute cookies and similar technologies; (ii) explaining the applicable rules; (iii) explaining how PECR interacts with the GDPR and DPA 2018; and (iv) identifying how to comply with cookies rules.
General position under PECR with respect to cookies
The Guidance reminds us that (pursuant to PECR) if you use cookies you must: (i) provide clear and comprehensive information about the cookies used (e.g. say what cookies will be set and explain what the cookies will do); and (ii) obtain consent to store cookies on devices.
Clear and comprehensive information
Whilst PECR does not define what constitutes ‘clear and comprehensive information’, the EU legislation from which PECR derives identifies that this information must be provided in accordance with data protection law. In practice therefore, and as the Guidance highlights, in the UK this means that, when setting cookies, users should be given the same kind of information that would be provided when processing their personal data. The Guidance notes that this may include:
- how cookies are used and their purposes;
- if there are any third-party cookies or third-party use of information (where this relates to personal data, third parties should be named);
- retention periods (i.e. cookie expiry dates); and
- information about how users can change their preferences.
Consent
The default position under PECR is that user or subscriber consent is required in order to place or use cookies on the user or subscriber’s device. For the purposes of PECR (and as confirmed by the Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019), ‘consent’ is to be given the same meaning as set out in the GDPR.
The Guidance notes that in respect of cookies, this means that:
- the user must make a clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent;
- users must be clearly informed about what the cookies are and what they do before they consent;
- if third party cookies are used, the third parties must be clearly and specifically named and any explanation given as to what they will do with the information;
- pre-ticked boxes (or equivalents) must not be used for non-essential cookies;
- users must be provided with controls over non-essential cookies, and users should still be allowed to have access to the website or app if they do not consent to these cookies; and
- non-essential cookies must not be placed on landing pages.
Exemptions from information and consent requirements
PECR provides for exemptions from the information and consent requirements for certain types of cookie (broadly, cookies used solely for communications purposes and which are ‘strictly necessary’), and the Guidance gives some useful examples of each category of exempt cookie, including setting out a list of the types of activity which are likely to be considered ‘strictly necessary’.
Relationship between PECR, DPA 2018 and GDPR
The Guidance explores the link between PECR, the DPA 2018 and GDPR, and notes that, where the rules set out in PECR apply then they will take precedence over the DPA 2018 and GDPR. In summary, the Guidance considers the following to be the easiest way to look at this:
- if your online service stores information, or accesses information stored, on user devices then you should ensure that you comply with PECR first, including the requirements to provide information and obtain consent; and
- the GDPR applies to any processing of personal data outside of this storage or access.
The distinction and overlap between the different sets of rules is an important one and, as the Guidance further highlights, particularly raises its head in the context of the lawful basis requirements of the GDPR. As the Guidance notes, if user consent is obtained in the context of setting cookies and that user’s personal data is also processed, then consent is likely also to be the most appropriate lawful basis for processing that user’s personal data under the GDPR. This is because other lawful bases may conflict with consent, potentially confusing users as to which applies and when.
Conclusion
The Guidance provides useful additional content for those wishing to set cookies on websites or apps and attempts to provide colour on an area of law which often struggles to keep pace with technological development. The ICO has confirmed that the rules on cookies are likely to be a greater focus for the ICO moving forward and organisations may wish to consider their own compliance in this area. In addition, online service providers should be aware that a new e-privacy Regulation remains under development and is likely to significantly modernise the current law.
Charles Maurice