Back to Insights Back to Insights

As you browse the internet, you may have noticed pop-up notifications asking for your consent to use cookies. While cookies can be useful for improving user experience and personalisation, they also raise concerns about privacy and security. As a website owner, it’s essential to understand the regulations that apply to their usage and the potential risks associated with them.

In this article, we will delve into the world of internet cookies and provide you with a comprehensive understanding of what they're, how they work, and the regulations governing their use.

What are website cookies?

Cookies are text files containing small pieces of data, for example, a username and password. Information about the user is saved and then tracked as they browse. For example, if you look up your local forecast on, the website cookies will remember the town or postcode you entered, and the next time you visit the site, the weather in your particular area is what you will see first.

Cookies are also used to:

  • Improve website functionality
  • Track users' activity
  • Personalise content
  • Tailor advertising more effectively, based on previous search history and web browsing behaviour, for use in targeted ads, also known as online behavioural advertising (OBA)
  • Provide security, for example, in internet banking and e-commerce sales

What are the different types of cookies?

There are four different types of cookies, namely:

  • Sessions cookies
  • Persistent cookies
  • First-party cookies
  • Third-party cookies


These cover a single browsing session and are deleted when the user exits the browser. They're the least intrusive type of cookies and usually do not store personal data.


These are stored on the user's device for a limited period (this could be a few minutes or a few days). They allow a website to recognise the user and their preference when they return and tailor the browsing experience to them. They can also be used to track a user’s browsing activity across the internet to build up a profile for OBA.


By default, these are generated and stored on your website visitor's computers when they visit your site. A unique identifier is assigned to the user by setting the cookie to either the user's browser and/or their hard drive to track the user's journey on the website. 

Website owners use first-party cookies for personalisation and recognition purposes. Each time a user visits the website, the cookie is retrieved, ensuring they do not have to re-enter registration details or can return to the items they previously stored in a shopping basket. The information gathered via first-party cookies is incredibly valuable to advertisers, and a website owner can sell the user data to third parties provided they have obtained consent.


These are planted by anyone other than the website owner or operator. They're generally present when a website hosts images, social media plugins or advertising from other websites, as these can also set cookies. Website owners often monetise their sites by ‘renting out’ space to advertisers, who in turn plant their own cookies. Blocking third-party cookies improves user security and privacy. Users can block first and third-party cookies through their web browser settings. 

What sort of information is stored by a cookie? 

Cookies are designed to collect extensive website-user information, and depending on the type, this can include:

  • A unique user ID and password
  • How often a user visits a particular site
  • Previous links clicked on
  • The name, phone number, email, and personal address of the user
  • The user’s location
  • The products placed in a shopping cart
  • How long a user spends on the site

The above list is not exhaustive. A lot of information collected by cookies contains personal data. Therefore, website owners and operators must comply with the Privacy and Electronic Communications Regulations (PECR), the UK and/or EU GDPR (General Data Protection Regulation), and the Data Protection Act 2018 when using cookies to collect, store, and share personal data.

How long can you legally store cookies?

According to the ePrivacy Directive, they should be stored for up to 12 months.

What is a second party cookie?

When you visit a website, second-party cookies refer to the data collected from it that will be shared with another website due to a pre-arranged data exchange agreement between the two sites. These cookies gather identical information to first-party.

What is a Cookies Policy?

A Cookies Policy is a document made available on your website that sets out what type of cookies the website uses, what kind of data they collect, the purposes for processing the data obtained, and how long the user’s browser will store the cookies.

This document is often included in a website's wider Privacy Policy.


Free Cookies Policy template


Do I need a Cookie Policy on my website?

In case your website utilises cookies, it’s essential to comply with GDPR and other privacy regulations that mandate the disclosure of information collection practices to visitors. If you collect data from your site users, you must have a Cookie Policy.

Is a Cookies Policy a legal requirement?

This is a tricky question. PECR was published in 2003 when the Internet was well-established but nowhere near as sophisticated and widely used as it is today. As such, the PERC itself does not explicitly mention cookies. However, Regulation 6 of PERC states:

(1) … a person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment —

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

Applying Regulation 6 to cookies, the law requires that website owners and operators must, therefore:

  • Make clear what cookies they use
  • Explain how they will operate
  • Obtain user consent to store cookies on their devices

Get legal assistance from LawBite 

Cookies play a significant role in website functionality, personalization, and advertising. However, they raise privacy and security concerns, making it crucial for website owners and operators to understand the regulations governing their use and the potential risks. The use of cookies is subject to PECR, GDPR, and the Data Protection Act 2018, which require website owners to obtain users' consent and disclose information collection practices to visitors. 

If you need advice on data protection and compliance, book a free 15 minute consultation or call us on 020 3808 8314. Don't forget to include a Cookies Policy on your website if you use cookies to collect data from your site users.


Additional resources

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Free legal support for businesses

The LawBite Free Essentials Plan acts as your very own legal assistant, ready to provide expertise and guidance on the common legal issues that SMEs and businesses face.

Free Templates
  • X 3 legal document templates
  • Drafted by our expert lawyers
  • New documents added every month
Legal Healthcheck Tools
  • Business-specific surveys
  • Understand how compliant you are
  • Checks in, GDPR, IP, Brexit and more
Resources, Webinars and Articles
  • Access to the latest LawBite events
  • Legal guides for businesses
  • Smarter business law videos