The PECR’s requirements, which also cover issues such as electronic marketing and electronic communication services, take precedence over the GDPR.
In this blog, we look at organisations’ cookie requirements under the GDPR and the PECR, explaining where they’re necessary and what measures must be taken to ensure that cookies are collected lawfully.
Are cookies personal data?
In short: when cookies can identify an individual, they’re considered personal data. Organisations must therefore comply with the UK GDPR as well as PECR when deploying cookies on their websites.
This includes ensuring they only process cookies that constitute personal data if they have a lawful basis to do so.
What are strictly necessary cookies?
A strictly necessary cookie is one that must be present for a website or app to provide its basic functions or remain secure. If strictly necessary cookies were not used, individuals would be impeded in their ability to access information and other services.
Determining whether a cookie is strictly necessary is no simple task. Although data protection bodies such as the ICO provide guidance on what constitutes a strictly necessary cookie, there is no definitive list of criteria.
There are many cookies that organisations might argue are essential for their business. Cookies can be used to support various functions on a website, including remembering user settings and tracking behaviour for analytical purposes.
An organisation may well consider these necessary for their purposes. However, ‘necessity’ is in most circumstances defined from the user’s perspective – in other words, is the cookie essential for someone to navigate the website effectively and/or safely.
This is the case for cookies that ensure site functionality, such as moving between pages, signing into an account or adding items to a shopping cart.
Cookies are also strictly necessary if they are needed to comply with other relevant legislation, including the security requirements of the GDPR.
Compliance with the GDPR is required for strictly necessary cookies, but consent is not mandated. That means organisations can deploy an alternative lawful basis for processing for that generate personal data, and this is often legitimate interest.
Examples of strictly necessary cookies
The ICO, which regulates the GDPR in the UK, provides examples of cookies that meet the strictly necessary exemption:
Further clarifying its definition, the ICO emphasises the difference between strictly necessary cookies and those that are simply ‘important’.
The latter refers to cookies that support certain features or that gather information on behalf of the organisation.
For example, analytics cookies gather information that’s crucial for an organisation’s wider business processes, such as tracking website performance to meet organisational objectives.
However, the website and its users wouldn’t be negatively affected if analytics cookies weren’t used. As such, analytics cookies are not deemed to be strictly necessary and user consent is therefore required.
Do your cookie practices comply with the GDPR?
Identifying strictly necessary cookies is not a simple task. Indeed, cookie compliance has been one of the biggest stumbling blocks for organisations achieving GDPR and PECR compliance.
Although the strictly necessary exemption can help reduce organisations’ workloads, using it improperly will result in a regulatory breach and could be met with a sizeable penalty.
Plus, organisations must identify cookies that involve personal data and inform users of their use.
Our team of experts will perform a comprehensive review of your website to establish what cookies are being used and where. We will advise which cookies are likely to be considered strictly necessary, can advise on the lawful basis for processing personal data.
We’ll also assess your cookie banner to ensure it meets the relevant requirements and will highlight cookies that pose a data protection or privacy risk.