Co-authored by Georgia Shriane and Charlotte Gorman
What are cookies?
Cookies are small text files that are downloaded and stored on a user’s computer. Cookies allow a website to remember information regarding a user’s visits and activities.
How do you comply?
What is “consent”?
The PECR does not provide a definition of consent, but rather, consent is governed by the GDPR. To be valid, consent must be freely given, specific, informed and unambiguous.
Once given, a user must be able to withdraw their consent at any time – the withdrawal of consent must be as easy as the giving.
Are there any exemptions?
There are two exemptions in relation to obtaining consent. These two exemptions are the “communication” exemption and the “strictly necessary” exemption.
What do you need to know?
Your website must provide clear information about the cookies and their use before consent is given;
Consent cannot be given by accepting terms and conditions;
You cannot use any pre-ticked boxes for consent to the use of non-essential cookies. A positive action is required;
You must allow users to still access your website even if the user refuses to give consent for the use of non-essential cookies. A cookie wall is not permitted;
If you use any third party cookies you must name the third party and explain their use of the information;
You must apply PECR first and then look at GDPR. This means that if consent is required under PECR, one of the lawful bases from the GDPR cannot be used as an alternative.
What action should you take?
The ICO recommends that a “cookie audit” of your online service is undertaken to review information including, what cookies your website uses, what the purposes of the cookies are and whether your consent mechanism is sufficient.
Following the ICO guidance, we have updated our website to ensure compliance. Visit our website here to view a practical example of our implementation of the cookie procedure.