You may have come across through many texts written and explaining about PECR cookie consent.
But, as the concept is quite essential and contains complications, we recommend that you read this article.
It is established under the ePrivacy Directive, which was implemented in the UK by the privacy and Electronic Communications Regulations (PECR).
PECR covers information requirements of cookies.
Additionally, cookies are related to the processing of personal data.
The General Data Protection Regulation applies to every organisation based in the EEA and non-EEA organisations that are processing EEA citizen’s data, providing them with various services or monitoring their behaviour.
The EU has planned to update the ePrivacy Directive, but the replacement Regulation is stuck in the legislative process.
But, the most significant change to the law on cookies has already made. The definition of ‘consent’ under PECR has now transformed to relate to the definition of GDPR.
This indicates that consent, whether under PECR or the GDPR, should be freely given, informed, specific.
Now, PECR cookie consent is almost like GDPR cookie consent.
Guidance on cookies and similar technologies has been updated and published by the Information Commissioner Officer (ICO).
The guidance has stressed how important consent is under both PECR and GDPR. Because both pieces of legislation focus on the appropriate lawful basis for cookies’ use which includes processing of personal data.
In the wake of reading this guidance blog, many sites will realise that they haven’t adequately implemented the compliance rules. They will also note the ICO’s focus on a privacy-intrusive cookie for enforcement purposes.
There are innumerable issues highlighted in the guidance with current market practices. Nevertheless, it is unlikely to always come-up with rational compliance suggestions and provide an answer to every question.
For companies, carrying out an audit by implementing this guidance is vital. Because they can make necessary changes wherever they are required.
The ICO’s message is: “start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear”.
Key points of the Guidance
Below mentioned are a few of the key points mentioned in the guidance.
The relation between Cookie rules and the GDPR
As PECR takes precedence over GDPR, so we must discuss at the PECR first.
If the setting of cookies includes personal data processing, you must comply with the GDPR’s additional requirements.
On the other hand, PECR is applicable where storage or access to information on user devices includes personal data processing. The GDPR and especially PECR cookie consent are significant because where cookie rules don’t apply, compliance with GDPR is compulsory there.
Cookie consent and the lawful basis
Regulators including the ICO have previously stated that, however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties”. In certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis.”
No matter your website is hosted outside the UK, but it will be subject to PECR if you are based in the UK.
Practically, many of the information facilities and the requirement to obtain consent under GDPR will apply where the GDPR applies, depending on what the cookie is used for.
Frequently Asked Questions
1) What does consent to cookies mean?
2) What is the Privacy and Electronic Communications Regulations Act?
The UK law of the Privacy and Electronic Communications (EC Directive) Regulations 2003, it is unlawful to transmit an automated recorded message for direct marketing purposes via a telephone, without the prior consent of the user.
3) When did PECR come into force?
The PECR came into effect in 2003 and has been subsequently amended, to account for the changes that came with GDPR with its implementation in 2018.