Although cookies were already regulated under the PECR (Privacy and Electronic Communications Regulations), the GDPR intertwined cookies with its definition of personal data.
As Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […].
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual, they’re considered personal data.
As such, organisations can only process cookies that constitute personal data if they have a lawful basis to do so.
The only exception to this rule is for cookies classified as “strictly necessary” by the ICO (Information Commissioner’s Office). But what makes a cookie strictly necessary?
What are strictly necessary cookies?
A strictly necessary cookie is one that must be present for a website or app to provide its basic functions or remain secure.
The GDPR enables organisations to freely process data found in strictly necessary cookies, because if they were not able to, their service would cease to function or be insecure. As a result, individuals would be impeded in their ability to access information and other services.
Determining whether a cookie is strictly necessary is no simple task. Although data protection bodies such as the ICO provide guidance on what constitutes a strictly necessary cookie, there is no definitive list of criteria.
There are many cookies that organisations might argue are essential for their business. Cookies can be used to support various functions on a website, including remembering user settings and tracking behaviour for analytical purposes.
An organisation may well consider these necessary for their purposes. However, ‘necessity’ is in most circumstances defined from the user’s perspective – in other words, is the cookie essential for someone to navigate the website effectively and/or safely.
This is the case for cookies that ensure site functionality, such as moving between pages, signing into an account or adding items to a shopping cart.
Cookies are also strictly necessary if they are needed to comply with other relevant legislation, including the security requirements of the GDPR.
Examples of strictly necessary cookies
The ICO, which regulates the GDPR in the UK, provides examples of cookies that meet the strictly necessary exemption:
- Cookies that are used to remember the goods a website visitor wishes to buy when they to go the checkout;
- Cookies that are essential for security, like connecting with an online banking service; and
- Cookies that ensure that the site’s content loads quickly and effectively.
Further clarifying its definition, the ICO emphasises the difference between strictly necessary cookies and those that are simply ‘important’.
The latter refers to cookies that support certain features or that gather information on behalf of the organisation.
For example, analytics cookies gather information that’s crucial for an organisation’s wider business processes, such as tracking website performance to meet organisational objectives.
However, the website and its users wouldn’t be negatively affected if analytics cookies weren’t used. As such, analytics cookies are not exempt from the GDPR’s requirements.
What about the PECR?
The PECR cover several areas, including electronic marketing, cookies and the security of public electronic communication services. Its rules sit alongside the UK GDPR (the domestic version of the Regulation that was adopted following Brexit) and take precedence over them.
This is essential, because the PECR require the use of consent much more frequently than the GDPR.
Like the GDPR, it states that consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.
- User input
- Content streaming
- Network management
- User preferences
Do your cookie practices comply with the GDPR?
Identifying strictly necessary cookies is not a simple task. Indeed, cookie compliance has been one of the biggest stumbling blocks for organisations achieving GDPR and PECR compliance.
Although the strictly necessary exemption can help reduce organisations’ workloads, using it improperly will result in a regulatory breach and could be met with a sizeable penalty.
Plus, organisations must identify cookies that involve personal data and inform users of their use.
Our team of experts will perform a comprehensive review of your website to establish what cookies are being used and where. We will highlight strictly necessary and non-essential cookies.
We’ll also assess your cookie banner to ensure it meets the relevant requirements and will highlight cookies that pose a data protection or privacy risk.