The Information Commissioner’s Office (ICO) has published guidance on Cookies and similar technologies, in particular, the use of “non-essential” Cookies”. This is relevant to organisations who operate an online service, such as a website or a mobile app, so if you have one we recommend you to keep reading.
GDPR protects personal information about individuals and gives the individual rights to control how their data is used. Among other things, PECR relates to how organisations can make electronic communications, including sending marketing emails or text messages or tailored online advertising. Both pieces of legislation are regulated by the Information Commissioner’s Office, and requires organisations to inform individuals how their data is used.
What is a cookie?
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that the user’s device and store some information about the user’s preferences or past actions.
The rules apply to “non-essential” Cookies, which include advertising cookies or those set by third parties. There are exceptions to the legislative requirements, for example for cookies that are essential to provide an online service at someone’s request. These types of Cookies are called session cookies and must be “strictly necessary” where a cookie is either necessary for technical purposes to allow communication to take place, or to provide a service the user has requested. Usual examples of “essential” cookies are those used to help users remember what’s in their online basket, or to ensure security in online banking, or a security cookie for a requested service.
What are organisations required to do?
If an organisation is using Cookies on their website, they must comply with two main pieces of legislation, GDPR and PECR, which have the similar purpose of protecting users’ information, whether it is personal or company information, and having control over how that information can be used by other parties (such as for marketing purposes).
The Cookies regulations apply whether the information being processed is personal information or if it is anonymised. However, if personal data is being processed, the obligations under GDPR also must be complied with.
- detailing information about the purposes of the cookies that are being used on a website;
- explaining what the cookies are doing and why; and
- getting the individual’s consent to store a Cookie on their device
The same rules also apply if other types of technology are used to store or gain access to information on someone’s device.
This information requirement and consent gathering doesn’t need to be repeated each time an individual uses a website. However, as a number of individuals may access the same device, organisations should still regularly repeat the information giving the process at suitable intervals, so that they can evidence that all individuals will be aware and have given (or refused) their consent.
What is consent?
ICOs guidance helps organisations change their behaviour from previously non-compliant reliance on implied consent, where individuals had to “opt-out” of their use.
The regulations both require that consent must be actively and clearly given. This may mean that the individual signs up for a mailing list or ticks a box agreeing to have their information used in a particular way. The organisation must make it clear exactly what purpose the information will be used for (for example being added to a mailing list or shared with third parties) as giving the individual control over how they will receive any communications (e.g. text and SMS) if consent is given to receive communications. Information about consent must be made clear and easily accessible – so hiding a Cookies statement at the end of a Privacy Notice may not be sufficient unless a link to the appropriate section is given.
ICO has issued the following word of warning: “Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based.”
Our lawyers provide expert legal advice to your business to ensure that your documents, including your websites and contracts, are appropriate and robust. We also offer to review your terms and conditions and recommend updates and improvements to make them more effective and better suited to your business.
The author of this Blog article, Rachel Robinson.
Rachel Robinson has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner managed small business.