Cookie Compliance: Essential Considerations for Organisations

Cookies are essential for enhancing user experiences and driving personalised marketing. However, they come with stringent compliance requirements under the UK’s Privacy and Electronic Communications Regulations (PECR) and UK GDPR. To help organisations utilise cookies effectively and legally, this guide provides a comprehensive overview of what cookies are, the legal landscape, and best practices for compliance.

What Are Cookies?

Cookies are small data files that websites store on a user’s device, such as a computer, tablet, or smartphone, when they visit a site. These files contain information that helps websites remember a user’s actions or preferences (like language settings or login status) to improve their browsing experience. While cookies are most commonly used, other tracking technologies like pixel tags, MAC addresses, and device fingerprints work in a similar way to help websites identify unique users, track their interactions, and tailor content to individual preferences. Essentially, cookies and these identifiers streamline user experiences and help websites understand how visitors engage with their content.

Key Rules on Cookies: PECR and UK GDPR

In the UK, there are two main regulations to keep in mind when using cookies: PECR (Privacy and Electronic Communications Regulations) and the UK GDPR. PECR deals with cookie storage and access on user devices, while the UK GDPR applies when cookies process personal data. Here’s a simple overview of how these two frameworks work together for cookie compliance:

• PECR Compliance First: Under PECR, organisations must inform users about the cookies they use and obtain their consent before storing non-essential cookies. Essential cookies, which are crucial for basic website functionality (like keeping a user logged in while they browse), are an exception and don’t require consent. However, websites must still inform users about these cookies.
• UK GDPR Requirements for Personal Data: When cookies collect personal data—like login credentials, device identifiers, or tracking data that can identify someone—UK GDPR standards for data protection apply. Cookies that store information enabling user identification (such as those tracking behaviour or retaining login details) fall under the UK GDPR’s requirements, which include handling and protecting data responsibly.

Tip: To ensure compliance, first confirm that your cookie practices align with PECR guidelines, as this sets the foundation. Then, if cookies handle personal data, apply the UK GDPR’s data protection standards to address privacy considerations.

Understanding Consent for Cookies

For cookies, consent under PECR must align with the high standards set by the UK GDPR. This means that obtaining user consent needs to meet specific conditions to ensure users have control and clarity about their choices. Here’s what constitutes valid cookie consent:

Freely Given: Users should have a genuine choice, meaning they aren’t pressured or misled into accepting cookies.

Specific: Consent must be collected for each specific purpose. For instance, analytical cookies and advertising cookies should be separated, allowing users to choose which types they permit.

Informed: Users need a clear understanding of what data each cookie collects, how it’s used, and why. This information should be presented in an accessible way.

Explicit: Users must actively consent by taking a clear, affirmative action, like clicking “Accept” in a visible cookie banner. Pre-ticked boxes or passive acceptance (e.g., just continuing to browse) doesn’t meet these standards.

Consent vs. Legitimate Interest

For cookies that fall under PECR’s requirements, consent is the only acceptable lawful basis, meaning ‘legitimate interest’ does not apply. Only certain non-intrusive cookies, which do not process personal data, may rely on legitimate interest under the UK GDPR. However, any cookies that collect personal data or track user behaviour will need consent, regardless of their purpose.

Types of Cookies and Compliance Implications

Understanding the types of cookies used and their regulatory requirements is essential to meet compliance standards. Here’s a breakdown of common types and how consent requirements apply:

1. Essential Cookies: These cookies are necessary for the basic functions of a website, like maintaining login status or keeping items in a shopping cart. No consent is required under PECR, but it’s still good practice to inform users about their use.
2. Analytical and Performance Cookies: Designed to track user behaviour and gather data that improves website performance (like tracking how often users visit pages or which links are clicked), these cookies are not essential to website operation. Therefore, they require user consent under PECR before being placed on the device.
3. Targeting and Advertising Cookies: These cookies identify user interests, preferences, and behaviours to deliver personalised ads and are often shared with third-party advertisers. Due to their direct impact on user privacy, websites must obtain explicit consent to use them.
4. Tracking Cookies: Essential for tracking users across multiple websites, these cookies allow for the creation of user profiles, often used for targeted advertising. Given their potential privacy implications, obtaining clear and informed consent is crucial.

Practical Steps to Ensure Compliance

Adopting clear, actionable steps is essential for managing cookie compliance effectively. Here’s a straightforward approach to ensuring your site meets both PECR and UK GDPR requirements:

• Cookie Audits: Conduct regular audits of your website’s cookies to track which are in use, their purposes, and whether they are necessary. This allows you to categorise each cookie correctly, making it easy to determine which ones require user consent and which may be classified as essential.
• Clear Consent Banners: Use an accessible and visible cookie banner to explain the cookies used, their functions, and provide an option for users to accept, reject, or adjust their cookie preferences. This ensures users can make informed choices about their data from the outset, helping to meet PECR’s consent standards.
• Detailed Cookie Policy: Your website should feature a clear, comprehensive cookie policy that explains each type of cookie used, its purpose, and the type of data collected. Transparency in your cookie policy aligns with PECR’s requirement to provide clear user information and builds trust with your site visitors.
• Regular Review of Consent: Ensure that users are asked to reconfirm their cookie consent at least once a year, or sooner if there are major changes in how cookies are used on the site. Users should also have the ability to withdraw consent at any time, easily accessible via your cookie banner or settings page, keeping you aligned with GDPR’s flexibility requirements.

How to Address Compliance Gaps: Common Missteps

To maintain cookie compliance under PECR and UK GDPR, it’s crucial to avoid common errors that can easily arise from misunderstanding regulatory requirements. Here’s a detailed look at frequent compliance missteps and how to correct them:

Misclassifying Analytics Cookies as ‘Essential’

• The Mistake: Many organisations assume that cookies used for site analytics and performance measurement are essential because they contribute to website improvement. However, under PECR, only cookies that are strictly necessary for a website’s core functionality (e.g., login sessions or shopping cart memory) are classified as essential.
• The Fix: Analytics cookies require explicit user consent. To correct this, you should ensure that analytics cookies are listed separately in your cookie consent banner, providing users with the choice to opt in or out. By categorising these cookies as optional and requiring consent, you adhere to both PECR and GDPR standards.

Inadequate or Ambiguous Language in Cookie Banners

• The Mistake: Using vague language in cookie banners can result in non-compliant consent. Examples include broad terms like “we use cookies to improve your experience” without specifying the types of cookies or their purposes. Under PECR and GDPR, consent must be informed, meaning users must clearly understand what they are consenting to.
• The Fix: Aim for precise, plain language in your cookie banner. Use clear descriptions that specify the purpose of each cookie type, such as “analytics,” “functional,” or “advertising” cookies, and explain what they do. Ensure each option in the banner is easily understandable, and use affirmative action language, like “Accept Analytics Cookies” or “Reject Advertising Cookies,” rather than ambiguous terms. Providing a link to your cookie policy where more details are available also improves clarity.

Using Tracking Cookies for Advertising Without Explicit Consent

1. • The Mistake: Many organisations use tracking cookies to gather data for targeted advertising without obtaining the necessary consent. Tracking cookies, particularly those used for behavioural advertising, are intrusive and can collect detailed personal data, which falls under GDPR’s definition of personal data and requires explicit user consent.
   • The Fix: For compliance, ensure your cookie consent banner makes clear when cookies are used for advertising purposes and requests explicit consent. The banner should also clarify that refusal of these cookies will not affect the user’s ability to browse the website. Tracking cookies should only activate once a user has explicitly accepted them, and the cookie policy should provide detailed information on what data is collected and how it will be used.

Failure to Refresh Consent Regularly

1. • The Mistake: Not revisiting or refreshing user consent on a regular basis can lead to a lapse in compliance, especially as cookie practices and regulations evolve. It’s a common oversight to assume that once consent is given, it lasts indefinitely, but GDPR requires that consent be reviewed periodically, particularly if your cookie usage changes.
   • The Fix: Establish a routine for refreshing cookie consent at least annually or whenever significant changes are made to the way your website uses cookies. This ensures that user choices remain up to date. Offer an easy way for users to review and modify their consent at any time, either through a banner, settings page, or link to a cookie preferences page in the footer of your website.

Not Providing a Simple Option to Withdraw Consent

1. • The Mistake: Making it difficult for users to withdraw their consent can violate GDPR, which mandates that users must be able to revoke consent as easily as they gave it. Some organisations only provide the option to accept cookies without a clear way to reject or modify preferences.
   • The Fix: Include an easily accessible option for users to withdraw or modify their consent, such as a “Cookie Settings” link in the website footer or within the banner itself. Ensuring that users can seamlessly change their cookie preferences reinforces transparency and allows you to stay compliant with GDPR.

By addressing these common gaps with well-defined practices, organisations can maintain compliance with PECR and GDPR, providing users with genuine control over their data while supporting trust and transparency.

The Future of ePrivacy: What the ePrivacy Regulation Means for Organisations

As data protection experts, we at Data Protection People are keenly aware of the evolving digital landscape and the importance of aligning privacy laws with modern communication technologies. The European Commission’s proposed ePrivacy Regulation seeks to address these shifts and harmonise privacy protection across electronic communications. This new regulation, initially proposed in 2017, is designed to bring ePrivacy legislation into the digital age, ensuring a consistent approach alongside the General Data Protection Regulation (GDPR).

Why the ePrivacy Regulation Matters

The proposed ePrivacy Regulation addresses emerging privacy concerns brought about by rapid technological changes. Unlike the existing rules, which primarily apply to traditional telecom operators, the regulation will extend privacy obligations to digital service providers, including popular messaging apps like WhatsApp, Facebook Messenger, and Skype. This expanded scope means that individuals and organisations will enjoy a higher level of confidentiality in their digital communications, regardless of the platform used.

Key Features of the ePrivacy Regulation

Some essential features of the ePrivacy Regulation are worth highlighting:

1. Uniform Privacy Standards Across the EU: The regulation aims to create a consistent privacy standard across all EU member states, providing both individuals and businesses with a single set of rules that govern electronic communications. For businesses, this translates to less complexity and reduced administrative burdens.
2. Enhanced Privacy for Communications Content and Metadata: The regulation will reinforce privacy protections for both content and metadata of communications. Metadata, which includes details like the time and location of a message, has substantial privacy implications. Under the proposed rules, companies will be required to anonymise or delete metadata unless they have user consent or need it for essential functions, such as billing.
3. Streamlined Cookie Requirements: The regulation also aims to simplify the process around cookie consent. Instead of repetitive, intrusive pop-ups, users could configure cookie settings directly within their browsers, making consent management easier and more user-friendly. Additionally, the new rules clarify that cookies that are non-intrusive, such as those used to remember shopping carts or count website visitors, won’t require consent.
4. Protection Against Spam and Unwanted Communication: Unsolicited marketing, whether via email, SMS, or automated calls, will be more tightly regulated. Organisations will need to follow stricter rules, with clear opt-in or opt-out options, depending on national laws. Marketing calls will also need to be identifiable, either by phone number display or a specific prefix.
5. New Business Opportunities for Telecom Providers: With user consent, traditional telecom providers will have more freedom to offer innovative services, such as creating data-based insights to inform public infrastructure projects. This allows for greater business opportunities while maintaining transparency and privacy.
6. Stronger Enforcement: Enforcement of the ePrivacy Regulation will fall under the purview of national data protection authorities, enhancing oversight and ensuring the regulation’s alignment with GDPR standards.

What This Means for Organisations and Data Protection

Organisations operating within the EU, and those handling data of EU residents, must prepare to adapt their electronic communication practices. This includes updating privacy policies, adjusting cookie consent mechanisms, and revisiting metadata handling practices. Given the ePrivacy Regulation’s potential to bring about widespread changes, proactive compliance will help organisations build trust and protect user privacy in an increasingly digital world.

At Data Protection People, we are prepared to assist organisations in understanding and implementing the requirements of the proposed ePrivacy Regulation, ensuring they are ready to meet the future of privacy head-on.

Need Help Navigating Cookie Compliance and the ePrivacy Regulation?

With regulations constantly evolving, staying compliant with cookie laws, PECR, GDPR, and the upcoming ePrivacy Regulation can feel overwhelming. That’s where Data Protection People comes in. Our Support Desk and Outsourced DPO Service are here to make compliance straightforward and achievable.

From conducting in-depth cookie audits to ensuring you are meeting the highest standards for user consent and privacy; our expert team provides hands-on support tailored to your organisation’s needs. Whether it is setting up compliant consent banners, handling regulatory updates, or addressing complex privacy concerns, we’re ready to guide you through it all.

Why Choose Data Protection People?

• Expert Support on Demand: With our Support Desk, get reliable, real-time advice on any data protection question, whenever you need it.
• Seamless Compliance: Our Outsourced DPOs work as an extension of your team, managing and maintaining your compliance with PECR, GDPR, and beyond.
• Tailored Solutions: We understand that every organisation is unique. Our services are customised to meet your specific data protection requirements.

Don’t let compliance challenges hold you back. Connect with Data Protection People today and let our specialists support your journey towards a safer, more secure digital environment.