ICO’s guidance on cookie consent and the PECR

You may have come across many explanations and descriptions of the Privacy and Electronic Communications Regulation (PECR) and cookie consent.

Every organisation under the territory of the European Economic Area (EEA) is under a legal obligation to obtain consent for the use of cookies and similar technologies.

It is established under the ePrivacy Directive, which was implemented in the UK by the Privacy and Electronic Communications Regulation (PECR).

PECR audit covers the information requirements of cookies.

Additionally, cookies are related to the processing of personal data.

The General Data Protection Regulation (GDPR) applies to every organisation based in the EEA and non-EEA that are processing EEA citizen’s data, providing them with various services or monitoring their behaviour.

The EU had planned to update the ePrivacy Directive, but the replacement regulation is stuck in the legislative process. But, the most significant change to the law on cookies has already been made. The definition of ‘consent’ under PECR has now been extended under the GDPR.

This indicates that consent, whether under PECR or the GDPR, should be freely given, informed and specific.

Now, PECR cookie consent is almost like GDPR cookie consent.

However, the updated definition of consent has brought many compliance-related issues for businesses. Organisations who use cookies for interest-based advertising, tracking and marketing are affected by this issue in particular.

ico pecr cookie consent guidelines

The development

Guidance on cookies and similar technologies has been updated and published by the Information Commissioner’s Office (ICO).

The guidance has stressed how important consent is under both the Privacy and Electronic Communications Regulation (PECR). and General Data Protection Regulation (GDPR). Because both pieces of legislation focus on the appropriate lawful basis for use of cookies which includes processing of personal data.

“There are innumerable issues highlighted in the guidance with current market practices. Nevertheless, it is unlikely to always come-up with rational compliance suggestions and provide an answer to every question.”

For companies, carrying out an audit by implementing this guidance is vital. Because they can make necessary changes wherever they are required.

PECR infographic

The ICO’s message is: “start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear”.

Key points under the guidance

Below are a few of the key points mentioned in the guidance:

  • Consent to cookies can’t be implied.
  • Analytics cookies are not necessary and require consent under PECR.
  • Where consent is required, you cannot use cookie walls pending consent.
  • For consent under PECR, you can’t rely on legitimate interests for non-essential cookies that involve the personal data processing as a lawful basis under the GDPR.
  • Cookie compliance will be a priority for the ICO, but any action will be proportionate to the failure.
  • Organisations are urged to “start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear”.

PECR takes precedence over GDPR, so we must discuss the PECR first. If the setting of cookies includes personal data processing, you must comply with the GDPR’s additional requirements. On the other hand, PECR is applicable where storage or access to information on a user’s device includes personal data processing.  The GDPR and especially PECR cookie consent are significant because where cookie rules don’t apply, compliance with GDPR is compulsory.

Cookie consent and the lawful basis

ico pecr cookie consent guidelines

For the use of cookies, consent is the only lawful basis that can be relied upon when personal data is involved.

It is possible to rely on another lawful basis where personal data is involved for subsequent processing, though this is not applicable to the use of cookies.

“Regulators including the ICO have previously stated that, however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties”. In certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis.” “

It is not mainly because the personal data originates by the use of cookies but because of the nature, scope, context, and purposes of the processing operations themselves.

No matter where your website is hosted, but it will be subject to both Privacy and Electronic Communications Regulation (PECR). and General Data Protection Regulation (GDPR) if you are based in the UK. Thus organisations must ensure that they implement a compliant cookie consent banner on their websites.

Frequently Asked Questions (FAQs)

1) What does consent to cookies mean?

The Cookie Law under General Data Protection Regulation (GDPR)states that every user must provide informed consent before files get stored on their computer. So, you should provide details on how and why you use cookies. It is important to give your visitors the opportunity to provide, withdraw or refuse consent at any time.

2) What is the Privacy and Electronic Communications Regulation (PECR)? 

Under the Privacy and Electronic Communications Regulation (PECR), it is unlawful to transmit an automated recorded message for direct marketing purposes via a telephone, without the prior consent of the user.

3) When did PECR come into force?

The Privacy and Electronic Communications Regulation (PECR)  came into effect in 2003 and has been subsequently amended, to account for the changes that came in effect with the General Data Protection Regulation (GDPR) in 2018.