General position under PECR with respect to cookies
Clear and comprehensive information
Whilst PECR does not define what constitutes ‘clear and comprehensive information’, the EU legislation from which PECR derives identifies that this information must be provided in accordance with data protection law. In practice therefore, and as the Guidance highlights, in the UK this means that, when setting cookies, users should be given the same kind of information that would be provided when processing their personal data. The Guidance notes that this may include:
- how cookies are used and their purposes;
- if there are any third-party cookies or third-party use of information (where this relates to personal data, third parties should be named);
- retention periods (i.e. cookie expiry dates); and
- information about how users can change their preferences.
The Guidance notes that in respect of cookies, this means that:
- the user must make a clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent;
- users must be clearly informed about what the cookies are and what they do before they consent;
- if third party cookies are used, the third parties must be clearly and specifically named and any explanation given as to what they will do with the information;
- pre-ticked boxes (or equivalents) must not be used for non-essential cookies;
- users must be provided with controls over non-essential cookies, and users should still be allowed to have access to the website or app if they do not consent to these cookies; and
- non-essential cookies must not be placed on landing pages.
Exemptions from information and consent requirements
PECR provides for exemptions from the information and consent requirements for certain types of cookie (broadly, cookies used solely for communications purposes and which are ‘strictly necessary’), and the Guidance gives some useful examples of each category of exempt cookie, including setting out a list of the types of activity which are likely to be considered ‘strictly necessary’.
Relationship between PECR, DPA 2018 and GDPR
The Guidance explores the link between PECR, the DPA 2018 and GDPR, and notes that, where the rules set out in PECR apply then they will take precedence over the DPA 2018 and GDPR. In summary, the Guidance considers the following to be the easiest way to look at this:
- if your online service stores information, or accesses information stored, on user devices then you should ensure that you comply with PECR first, including the requirements to provide information and obtain consent; and
- the GDPR applies to any processing of personal data outside of this storage or access.
The distinction and overlap between the different sets of rules is an important one and, as the Guidance further highlights, particularly raises its head in the context of the lawful basis requirements of the GDPR. As the Guidance notes, if user consent is obtained in the context of setting cookies and that user’s personal data is also processed, then consent is likely also to be the most appropriate lawful basis for processing that user’s personal data under the GDPR. This is because other lawful bases may conflict with consent, potentially confusing users as to which applies and when.
The Guidance provides useful additional content for those wishing to set cookies on websites or apps and attempts to provide colour on an area of law which often struggles to keep pace with technological development. The ICO has confirmed that the rules on cookies are likely to be a greater focus for the ICO moving forward and organisations may wish to consider their own compliance in this area. In addition, online service providers should be aware that a new e-privacy Regulation remains under development and is likely to significantly modernise the current law.