A law firm which offers more

Call us: 0113 246 0622

Are your cookies GDPR compliant?


A lack of clarity around the use of website cookies will hopefully now be resolved after the Information Commissioner’s Office (ICO) published new guidance on the use of cookies and similar technology recently.

Since the General Data Protection Regulation (GDPR) was first implemented in May 2018, there’s been a lot of confusion and speculation around how it applies to cookies and other similar technology. The new guidance aims to provide a clearer picture of how businesses can best use cookies with their online service. Given the wide range of different approaches to cookie use that can be seen across the internet, many companies are pleased that there will finally be more certainty and clarity around this issue, whilst others may feel a little nervous as to what the new guidance might mean for them.

First things first, what’s a cookie?

A cookie is not just a delicious treat; in this instance, it’s a small text file left on your computer, tablet, phone or other device when you visit a website. Every time you then revisit that site, it accesses that cookie and recognises you. Session cookies last as long as your browsing session and then are deleted, while persistent cookies remain on your device until their expiry date, which could be years in the future. Websites are allowed to install a cookie on a user’s computer for two reasons. Either they are strictly necessary, meaning they’re used for technical purposes to allow communications to take place or provide a service at the user’s request. Or they require consent, which the user has given after being provided with clear information about the cookie’s purpose.

Cookies are an important technological feature and allow for secure website access and online shopping functionality; however, they can also be used to encroach on users’ privacy.

What laws govern cookie use?

Cookies are primarily regulated by the Privacy and Electronic Communication Regulations (PECR) which lay out the following rules. Website owners, developers and others using cookies and similar technology must:

However, since its introduction, GDPR is also relevant to cookies. The close connection between e-privacy and data protection law means that cookies must be processed in accordance with GDPR and because some of the PECR’s key concepts, such as standard of consent, now come from GDPR. Put basically, if the use of a cookie results in the processing of personal data, the broad principles of GDPR also apply.

What are the key takeaways from the new guidance?

Here are some of the main things to consider:

Getting consent

The new guidance imposes much stricter requirements for obtaining consent, because it must meet the definition under GDPR, which is much higher than under previous legislation. This means:

Full cookie walls

Cookie walls, which block access to a site or service unless consent is given to the installation of certain cookies, aren’t allowed and using statements like ‘by continuing to use this website you are agreeing to cookies’ is definitely not allowed. However, the ICO acknowledges that partial cookie walls which restrict access to certain content may be allowed and are seeking further submissions around this from interested parties.

Consent for analytics cookies

Cookies classed as ‘strictly necessary’ are defined as such according to the users’ point of view, not the service provider and so, while analytics provide useful information, they are not essential to the user – if you didn’t have them, then the user would still be able to use your service. Hence why cookies, for the purposes of profiling, behavioural analysis and predicting preferences or behaviour, are not considered strictly necessary and do require consent under GDPR.

Third-party cookies

If you’re using any third-party cookies, make sure you clearly and specifically name the third parties and explain what they do with the info they are collecting.

Apply PECR rules before applying GDPR

As the PECR provides specific rules around privacy and electronic communication, where these rules apply, they take precedence over GDPR. Therefore, when installing cookies, the ICO suggests you consider PECR compliance first and ensure cookies comply with these requirements before moving on to consider the more general rules of the GDPR.

How should my business respond?

Prior to the publication of the ICO’s new guidance, many organisations had adopted a “wait and see” approach to compliance with cookies, given that the PECR rules were under review at the EU-level and, at that point, the ICO had not yet fully updated its cookie guidance. However, this new update has sent a clear message that, despite the complexity of the issue, businesses need to start taking steps to ensure they comply with the new guidance now. In fact, this is quite literally what the ICO’s Head of Technology Policy wrote in a blog accompanying the new guidance, saying that businesses “should start taking steps to comply now.”

For some companies, the new guidance will mean very little change, whilst for others it may well mean more work will have to be done in order to ensure they are compliant. A sensible starting point for many businesses would be to conduct a full cookie audit, so that companies know the full range of first and third party cookies they’re using and the reasons why they’re being used. This may then require further work to update the company’s cookie policy and the mechanism through which users give consent. As the ICO says, “undertake a cookie audit, document your decisions, and you will have nothing to fear.” However, as the recent fines for data breaches under GDPR against British Airways and Marriott demonstrate, the ICO is taking issues around GDPR seriously and that means businesses should too.

If you need to understand what’s involved in a cookie audit, please contact a member of our Commercial and IT Team for some help.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.