• ICO Guidance And The PECR Cookie Consent

    You may have come across through many texts written and explaining about PECR cookie consent.
    But, as the concept is quite essential and contains complications, we recommend that you read this article.

    Every organisation under the territory of EEA is under a legal obligation to obtain consent for the use of cookies and similar technologies.

    It is established under the ePrivacy Directive, which was implemented in the UK by the privacy and Electronic Communications Regulations (PECR).

    PECR covers information requirements of cookies.

    Additionally, cookies are related to the processing of personal data.

    The General Data Protection Regulation applies to every organisation based in the EEA and non-EEA organisations that are processing EEA citizen’s data, providing them with various services or monitoring their behaviour.

    The EU has planned to update the ePrivacy Directive, but the replacement Regulation is stuck in the legislative process.
    But, the most significant change to the law on cookies has already made. The definition of ‘consent’ under PECR has now transformed to relate to the definition of GDPR.

    This indicates that consent, whether under PECR or the GDPR, should be freely given, informed, specific.

    Now, PECR cookie consent is almost like GDPR cookie consent.

    However, the updated definition of consent has brought many compliance-related issues for businesses. Organisations which use cookies for interest-based advertising, tracking and marketing are affected by this issue in particular.

    The development

    Guidance on cookies and similar technologies has been updated and published by the Information Commissioner Officer (ICO).

    The guidance has stressed how important consent is under both PECR and GDPR. Because both pieces of legislation focus on the appropriate lawful basis for cookies’ use which includes processing of personal data.

    In the wake of reading this guidance blog, many sites will realise that they haven’t adequately implemented the compliance rules. They will also note the ICO’s focus on a privacy-intrusive cookie for enforcement purposes.

    There are innumerable issues highlighted in the guidance with current market practices. Nevertheless, it is unlikely to always come-up with rational compliance suggestions and provide an answer to every question.

    For companies, carrying out an audit by implementing this guidance is vital. Because they can make necessary changes wherever they are required.

    The ICO’s message is: “start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear”.
    Key points of the Guidance

    Below mentioned are a few of the key points mentioned in the guidance.

    • Consent to cookies can’t be implied.
    • Analytics cookies are not necessary and require consent under PECR.
    • Where consent is required, you cannot use cookie walls pending consent.
    • For consent under PECR, you can’t rely on legitimate interests for non-essential cookies that involve the personal data processing as a lawful basis under the GDPR.
    • Cookie compliance will be a priority for the ICO, but any action will be proportionate to the failure.
    • Organisations are urged to “start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear”.

    The relation between Cookie rules and the GDPR
    As PECR takes precedence over GDPR, so we must discuss at the PECR first.
    If the setting of cookies includes personal data processing, you must comply with the GDPR’s additional requirements.
    On the other hand, PECR is applicable where storage or access to information on user devices includes personal data processing.  The GDPR and especially PECR cookie consent are significant because where cookie rules don’t apply, compliance with GDPR is compulsory there.

    Cookie consent and the lawful basis
    For the use of Cookies, consent is the only lawful basis that can be relied upon when personal data is involved.

    It is possible to rely on another lawful basis where personal data is involved for subsequent processing, though this is not applicable for the use of cookies.

    Regulators including the ICO have previously stated that, however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties”. In certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis.”
    It is not mainly because the personal data originates by the use of cookies but because of the nature, scope, context and purposes of the processing operations themselves.
    No matter your website is hosted outside the UK, but it will be subject to PECR if you are based in the UK.
    Practically, many of the information facilities and the requirement to obtain consent under GDPR will apply where the GDPR applies, depending on what the cookie is used for.

    Frequently Asked Questions
    1) What does consent to cookies mean?
    The Cookie Law states that every user must provide informed consent before files get stored on their computer. So, you should provide details on how and why you use cookies. It is important to give your visitors the opportunity to provide, withdraw or refuse consent at any time.

    2) What is the Privacy and Electronic Communications Regulations Act?
    The UK law of the Privacy and Electronic Communications (EC Directive) Regulations 2003, it is unlawful to transmit an automated recorded message for direct marketing purposes via a telephone, without the prior consent of the user.

    3) When did PECR come into force?
    The PECR came into effect in 2003 and has been subsequently amended, to account for the changes that came with GDPR with its implementation in 2018.

    Protect yourself, get compliant fast.

    Scan & Audit your Cookies

    Scan your website Cookies, generate a fully-customisable Cookie Consent Banner
    & create a Cookie Policy – FREE