The first web development programmers needed a way to store and share unchanged data when users accessed web content, in order to make the user experience more streamlined. The word ‘cookie’ is derived from “fortune cookie” (an object with a message inside). In very simplistic terms that is exactly what a cookie is, a piece of software that stores information about a user.
Amongst other things, it allows a website to “remember” your log in details, contents of your online basket and previous browsing preferences. Whilst the commercial benefits of collecting and storing user information are clear, so are the risks to user privacy. Over the years, complaints concerning the intrusions into a user’s private life and personal information by the use of ‘cookies’ have soared and recent privacy laws have been introduced in an attempt to control what data is stored about users and how that data is used by the website owner and third parties who gain access to the user’s private information.
This has developed into a highly complex area of law affecting all devices like computers, mobile devices and wearable technologies such as fitness trackers.
What are cookies and where are they stored?
Cookies are small electronic files which are stored on a user’s device and they collect information when someone visits a website. A cookie can identify the pages that are being viewed, which can assist website owners to select the pages that the visitor sees. Some cookies only exist whilst visitors are online, but “persistent” cookies – which are not session-based – remain on the visitor’s computer or device, so that he or she can be recognised as a previous visitor when he or she next visits the website. Cookies serve a variety of functions some of which are:
- Storing what is in a user’s online shopping cart;
- Allowing easier log in to a website;
- Analysing traffic to a website;
- Tracking users browsing behaviour.
Similar technologies to cookies exist, such as scripts, tracking pixels and plugins, which consist of software which can function in a similar fashion to cookies and if they are being used to collect and retain data about a user then they are subject to the same regulation as cookies.
How are cookies and similar technologies regulated?
The use of this type of software is regulated by:
- Data Protection Act 2018;
- General Data Protection Regulation (GDPR);
- Privacy and Electronic Communications Regulations (PECR).
GDPR and PECR are both EU regulations. The Data Protection Act is UK domestic law which has implemented GDPR and PECR. The government body which regulates and enforces the provisions of the act and associated regulations is the Information Commissioner’s Office (ICO).
Brexit and data privacy law
The ICO has indicated that it does not expect Brexit to dramatically alter the legal requirements. However, depending on the terms of the deal reached with the EU at the end of the transition period, the ICO expects that the UK will have the right to keep this legal framework under review.
In this article, we will be focusing on the requirements set out in PECR but it is important to be aware that PECR is directly informed by the principles set out in GDPR.
What does the legal regulatory framework seek to achieve?
The framework imposes strict obligations on how personal information is used by organisations, businesses and governments. It is significant for consumer rights law as it places strict controls on how user information may be collected, stored and most importantly passed on to third parties. It seeks to regulate so-called “data mining” where users are, unwittingly, giving away vast amounts of personal data about their preferences, location, health and, in some cases, political views which are then sold on to advertiser or marketing agencies for the purposes of targeted marketing practices.
How does it work?
As a user, you will have noticed that after online shopping a number of adverts appear on your device and/or in your social media accounts advertising similar products. This is achieved through a complex web of cookies and similar technologies which aggregate your user information and then sell it on to businesses who use it as part of their marketing campaigns.
As a website owner, if you are using third-party advertising like ‘Google Ads’, your users’ data is being collected by cookies placed on the user’s device by a third party advertiser. This information informs the advertising algorithms which then “decide” which ads to place on your website or directly on to a user’s device or social media account.
How do I make my website compliant with PECR?
- Transparency – users must be clearly told what information is being collected from them and why;
- Consent – users must be required to explicitly consent to their information being collected and used.
Under former regulations, it was sufficient to merely advise users of a website that cookies were being used and you needed to place a link to a “privacy and cookies policy” which was rarely accessed by users. The website owner usually suggested that by continuing to browse the website the user was consenting to the operation of cookies and similar technologies.
That is simply no longer the case and website owners are now required to highlight the actual cookies and similar technologies used on their websites and what they do, and to seek the user’s specific consent to their use before any cookies are loaded on to the user’s device.
Transparency and informed consent
Transparency is a fundamental principle of data privacy law. Visitors to a website should be able to easily access information about the cookies and similar technologies on the website. Further, when obtaining consent, the website should take all reasonable means to ensure that the user is fully informed about what they are consenting to when they click “accept”.
PECR applies the GDPR standard which provides that this information should be clear and comprehensive so that it effectively:
- Explains how the cookies or similar technologies work;
- What they will be used for;
- Identifies where this information is available elsewhere on the website;
- Informs the user about the potential consequences of allowing cookies and similar technologies;
The language and detail used must be tailored to the appropriate level of the intended user of the website.
My web developer says that some cookies are essential
It is correct that some cookies are essential for the functioning of a website. PECR makes provision for essential cookies. These are the types of cookies for which you do not need specific consent. However, it is highly unlikely that your website cookies will consist only of essential cookies. Examples of essential and non-essential cookies are set out here:
- Essential cookies –
- “Remember” the items a user has stored in their online shopping cart;
- Ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (known as as ‘load balancing’ or ‘reverse proxying’)
- Non-Essential cookies –
- Analytics, e.g. counting the number of visitors to a website;
- First and third-party advertising cookies;
- Recognise a user when they return to the website.
What form should this information and consent take?
A number of websites have pop-up banners informing the user that cookies and similar technologies are in use on the site and inviting them to accept. In order to meet the requirements of PECR that banner must include a link to a place on the website where the full details are set out including those of third-party advertisers or data users. It must be made easy for users to get a full picture of how their data will be collected and stored with a minimum of clicks. This information section must advise the user, amongst other things, of where their data is stored, how long it will be retained, and how requests may be made to remove it.
The banner must also give the user a real choice as to which of the cookies will be activated by clicking consent. An “all or nothing” approach is not a genuine choice so care must be taken to give the user the ability to opt out of non-essential cookies and explaining how the user may do so.
Is one-off consent sufficient?
No. As part of a prudent data strategy, there should be time limits set by which a privacy consent would expire. By way of example if a user has not accessed a website for 90 days it would be sensible to request consent again. A regular user would not need to consent every time they access the website.
Changes to the cookies and in particular changes to third-party cookies must be clearly flagged to the users. If there has been any change to how these operate, your website must be updated and consent obtained from all users.
Prevention is better than cure
A good data policy is essential to any business which is operating online. With that in mind, the following are excellent principles to bear in mind while developing your online presence to ensure that you are fully compliant with data privacy law:
- Ensure that privacy and data compliance is designed into your systems form the start;
- Make sure all cookies and similar technologies are clearly explained;
- Regularly review:
- Privacy settings;
- Notices to users;
- maintain records of your regular reviews as proof of compliance.
This article is provided for general information only and is not intended to be nor should it be relied upon as legal advice in relation to any particular matter. If you require specific legal advice on any issue relating to your online business or website, we at Burlingtons Legal LLP will be able to assist. Please contact us on +44 (0)20 7529 5420 to arrange a consultation.