The way websites use cookies changed significantly with the introduction of the GDPR and its UK version, with the legislation introducing more stringent rules on the collection of personal data.
But the GDPR isn’t the only legislation that organisations should be concerned about. In the UK, its rules sit alongside the PECR (Privacy and Electronic Communications Regulations) 2003, which is the primary legislation governing the use of cookies.
The PECR’s requirements, which also cover issues such as electronic marketing and electronic communication services, take precedence over the GDPR.
In this blog, we look at organisations’ cookie requirements under the GDPR and the PECR, explaining where they’re necessary and what measures must be taken to ensure that cookies are collected lawfully.
Are cookies personal data?
Recital 30 of the GDPR confirms that information gleaned about individuals from the use of cookies could be considered personal data. It states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual, they’re considered personal data. Organisations must therefore comply with the UK GDPR as well as PECR when deploying cookies on their websites.
This includes ensuring they only process cookies that constitute personal data if they have a lawful basis to do so.
The PECR contain a general prohibition against the use of cookies without consent. However, there is an exemption for cookies classified as “strictly necessary”, and the ICO (Information Commissioner’s Office) provides guidance on how that exemption can be implemented.
What are strictly necessary cookies?
A strictly necessary cookie is one that must be present for a website or app to provide its basic functions or remain secure. If strictly necessary cookies were not used, individuals would be impeded in their ability to access information and other services.
Determining whether a cookie is strictly necessary is no simple task. Although data protection bodies such as the ICO provide guidance on what constitutes a strictly necessary cookie, there is no definitive list of criteria.
There are many cookies that organisations might argue are essential for their business. Cookies can be used to support various functions on a website, including remembering user settings and tracking behaviour for analytical purposes.
An organisation may well consider these necessary for their purposes. However, ‘necessity’ is in most circumstances defined from the user’s perspective – in other words, is the cookie essential for someone to navigate the website effectively and/or safely.
This is the case for cookies that ensure site functionality, such as moving between pages, signing into an account or adding items to a shopping cart.
Cookies are also strictly necessary if they are needed to comply with other relevant legislation, including the security requirements of the GDPR.
Compliance with the GDPR is required for strictly necessary cookies, but consent is not mandated. That means organisations can deploy an alternative lawful basis for processing for that generate personal data, and this is often legitimate interest.
Examples of strictly necessary cookies
The ICO, which regulates the GDPR in the UK, provides examples of cookies that meet the strictly necessary exemption:
Further clarifying its definition, the ICO emphasises the difference between strictly necessary cookies and those that are simply ‘important’.
The latter refers to cookies that support certain features or that gather information on behalf of the organisation.
For example, analytics cookies gather information that’s crucial for an organisation’s wider business processes, such as tracking website performance to meet organisational objectives.
However, the website and its users wouldn’t be negatively affected if analytics cookies weren’t used. As such, analytics cookies are not deemed to be strictly necessary and user consent is therefore required.
Do your cookie practices comply with the GDPR?
Identifying strictly necessary cookies is not a simple task. Indeed, cookie compliance has been one of the biggest stumbling blocks for organisations achieving GDPR and PECR compliance.
Although the strictly necessary exemption can help reduce organisations’ workloads, using it improperly will result in a regulatory breach and could be met with a sizeable penalty.
Plus, organisations must identify cookies that involve personal data and inform users of their use.
This is because any activities that involve personal data must be included in the organisation’s privacy policy to ensure transparency.
For organisations looking to navigate these complexities, there is a solution. DQM GRC’s GDPR Cookie Compliance Service provides an easy way for you to manage the way your organisation uses cookies.
Our team of experts will perform a comprehensive review of your website to establish what cookies are being used and where. We will advise which cookies are likely to be considered strictly necessary, can advise on the lawful basis for processing personal data.
We’ll also assess your cookie banner to ensure it meets the relevant requirements and will highlight cookies that pose a data protection or privacy risk.
Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.
Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.