Skip to main content

Co-authored by Georgia Shriane and Charlotte Gorman

The Information Commissioner’s Office (“ICO”) has recently published guidance on the use of cookies and other similar technologies. The ICO’s guidance explains the correct application of the Privacy and Electronic Communications Regulations (“PECR”) and the way that it interacts with the General Data Protection Regulation (“GDPR”). 

What are cookies?

Cookies are small text files that are downloaded and stored on a user’s computer. Cookies allow a website to remember information regarding a user’s visits and activities. 

How do you comply?

If you use cookies on your website you need to ensure that you tell the user what cookies your website uses, explain what their functions are and obtain the user’s consent to your use of cookies. 

What is “consent”? 

The PECR does not provide a definition of consent, but rather, consent is governed by the GDPR. To be valid, consent must be freely given, specific, informed and unambiguous.

Once given, a user must be able to withdraw their consent at any time – the withdrawal of consent must be as easy as the giving. 

Cookie-walls, preventing users from accessing a website if they do not consent to the cookies, are not acceptable; so a user must be able to refuse cookies but still visit the website. 

Are there any exemptions? 

There are two exemptions in relation to obtaining consent. These two exemptions are the “communication” exemption and the “strictly necessary” exemption. 

The “communication exemption” means that consent is not required where the transmission of communication is only possible with the use of cookies. 

The “strictly necessary” exemption is applicable where the use of cookies is essential to provide the service requested by the user. For example, consent is unlikely to be required where a website is using a cookie to remember what the user has placed in their shopping basket for when they check out. 

What do you need to know? 

  1. Your website must provide clear information about the cookies and their use before consent is given;
  2. A user’s continued use of your website does not constitute consent to the use of cookies;
  3. Consent cannot be given by accepting terms and conditions;
  4. You cannot use any pre-ticked boxes for consent to the use of non-essential cookies. A positive action is required;
  5. You must allow users to still access your website even if the user refuses to give consent for the use of non-essential cookies. A cookie wall is not permitted; 
  6. If you use any third party cookies you must name the third party and explain their use of the information;
  7. You must apply PECR first and then look at GDPR. This means that if consent is required under PECR, one of the lawful bases from the GDPR cannot be used as an alternative.  

What action should you take? 

The ICO recommends that a “cookie audit” of your online service is undertaken to review information including, what cookies your website uses, what the purposes of the cookies are and whether your consent mechanism is sufficient. 

Following the ICO guidance, we have updated our website to ensure compliance. Visit our website here to view a practical example of our implementation of the cookie procedure. 

Read the full ICO guidance here

Get in touch

If you would like help with any of the matters mentioned on this page please do not hesitate to contact us.

View All

shutterstock 531975229 (1)

Stay ahead with the latest from Boyes Turner

Sign up to receive the latest news on areas of interest to you. We can tailor the information we send to you.

Sign up to our newsletter
shutterstock 531975229 (1)