GDPR protects personal information about individuals and gives the individual rights to control how their data is used. Among other things, PECR relates to how organisations can make electronic communications, including sending marketing emails or text messages or tailored online advertising. Both pieces of legislation are regulated by the Information Commissioner’s Office, and requires organisations to inform individuals how their data is used.
What is a cookie?
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that the user’s device and store some information about the user’s preferences or past actions. The rules apply to “non-essential” Cookies, which include advertising cookies or those set by third parties. There are exceptions to the legislative requirements, for example for cookies that are essential to provide an online service at someone’s request. These types of Cookies are called session cookies and must be “strictly necessary” where a cookie is either necessary for technical purposes to allow communication to take place, or to provide a service the user has requested. Usual examples of “essential” cookies are those used to help users remember what’s in their online basket, or to ensure security in online banking, or a security cookie for a requested service.
What are organisations required to do?
- detailing information about the purposes of the cookies that are being used on a website;
- explaining what the cookies are doing and why; and
- getting the individual’s consent to store a Cookie on their device
What is consent?
ICOs guidance helps organisations change their behaviour from previously non-compliant reliance on implied consent, where individuals had to “opt-out” of their use. The regulations both require that consent must be actively and clearly given. This may mean that the individual signs up for a mailing list or ticks a box agreeing to have their information used in a particular way. The organisation must make it clear exactly what purpose the information will be used for (for example being added to a mailing list or shared with third parties) as giving the individual control over how they will receive any communications (e.g. text and SMS) if consent is given to receive communications. Information about consent must be made clear and easily accessible – so hiding a Cookies statement at the end of a Privacy Notice may not be sufficient unless a link to the appropriate section is given.
The author of this Blog article, Rachel Robinson.
Rachel Robinson has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner managed small business.