You may have come across many explanations and descriptions of the Privacy and Electronic Communications Regulation (PECR) and cookie consent.
It is established under the ePrivacy Directive, which was implemented in the UK by the Privacy and Electronic Communications Regulation (PECR).
PECR audit covers the information requirements of cookies.
Additionally, cookies are related to the processing of personal data.
The General Data Protection Regulation (GDPR) applies to every organisation based in the EEA and non-EEA that are processing EEA citizen’s data, providing them with various services or monitoring their behaviour.
The EU had planned to update the ePrivacy Directive, but the replacement regulation is stuck in the legislative process. But, the most significant change to the law on cookies has already been made. The definition of ‘consent’ under PECR has now been extended under the GDPR.
This indicates that consent, whether under PECR or the GDPR, should be freely given, informed and specific.
Now, PECR cookie consent is almost like GDPR cookie consent.
Guidance on cookies and similar technologies has been updated and published by the Information Commissioner’s Office (ICO).
“There are innumerable issues highlighted in the guidance with current market practices. Nevertheless, it is unlikely to always come-up with rational compliance suggestions and provide an answer to every question.”
For companies, carrying out an audit by implementing this guidance is vital. Because they can make necessary changes wherever they are required.
The ICO’s message is: “start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear”.
Key points under the guidance
Below are a few of the key points mentioned in the guidance:
- Consent to cookies can’t be implied.
- Analytics cookies are not necessary and require consent under PECR.
- Where consent is required, you cannot use cookie walls pending consent.
- For consent under PECR, you can’t rely on legitimate interests for non-essential cookies that involve the personal data processing as a lawful basis under the GDPR.
- Cookie compliance will be a priority for the ICO, but any action will be proportionate to the failure.
- Organisations are urged to “start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear”.
PECR takes precedence over GDPR, so we must discuss the PECR first. If the setting of cookies includes personal data processing, you must comply with the GDPR’s additional requirements. On the other hand, PECR is applicable where storage or access to information on a user’s device includes personal data processing. The GDPR and especially PECR cookie consent are significant because where cookie rules don’t apply, compliance with GDPR is compulsory.
Cookie consent and the lawful basis
“Regulators including the ICO have previously stated that, however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties”. In certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis.” “
No matter where your website is hosted, but it will be subject to both Privacy and Electronic Communications Regulation (PECR). and General Data Protection Regulation (GDPR) if you are based in the UK. Thus organisations must ensure that they implement a compliant cookie consent banner on their websites.
Frequently Asked Questions (FAQs)
1) What does consent to cookies mean?
2) What is the Privacy and Electronic Communications Regulation (PECR)?
Under the Privacy and Electronic Communications Regulation (PECR), it is unlawful to transmit an automated recorded message for direct marketing purposes via a telephone, without the prior consent of the user.
3) When did PECR come into force?
The Privacy and Electronic Communications Regulation (PECR) came into effect in 2003 and has been subsequently amended, to account for the changes that came in effect with the General Data Protection Regulation (GDPR) in 2018.